From 0ba25e53512395277fe007d952365391ec696be4 Mon Sep 17 00:00:00 2001
From: Martin Taillefer <geeknoid@users.noreply.github.com>
Date: Wed, 9 Jan 2019 06:37:46 -0800
Subject: [PATCH 1/4] Comment fixes. (#752)

(cherry picked from commit 001174fb4d0ff37e5c585a72727b7623ae65a30d)
---
 .../istio.networking.v1alpha3.pb.html         | 24 +++++++++----------
 networking/v1alpha3/service_entry.pb.go       | 10 ++++----
 networking/v1alpha3/service_entry.proto       | 12 +++++-----
 networking/v1alpha3/virtual_service.pb.go     | 14 +++++------
 networking/v1alpha3/virtual_service.proto     | 14 +++++------
 5 files changed, 37 insertions(+), 37 deletions(-)

diff --git a/networking/v1alpha3/istio.networking.v1alpha3.pb.html b/networking/v1alpha3/istio.networking.v1alpha3.pb.html
index a035e74a5c..1face7462e 100644
--- a/networking/v1alpha3/istio.networking.v1alpha3.pb.html
+++ b/networking/v1alpha3/istio.networking.v1alpha3.pb.html
@@ -266,12 +266,12 @@ <h2 id="CorsPolicy">CorsPolicy</h2>
 <section>
 <p>Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
 service. Refer to
-https://developer.mozilla.org/en-US/docs/Web/HTTP/Access<em>control</em>CORS
+<a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS">https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS</a>
 for further details about cross origin resource sharing. For example,
 the following rule restricts cross origin requests to those originating
 from example.com domain using HTTP POST/GET, and sets the
-Access-Control-Allow-Credentials header to false. In addition, it only
-exposes X-Foo-bar header and sets an expiry period of 1 day.</p>
+<code>Access-Control-Allow-Credentials</code> header to false. In addition, it only
+exposes <code>X-Foo-bar</code> header and sets an expiry period of 1 day.</p>
 
 <pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
@@ -348,7 +348,7 @@ <h2 id="CorsPolicy">CorsPolicy</h2>
 <td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">google.protobuf.Duration</a></code></td>
 <td>
 <p>Specifies how long the results of a preflight request can be
-cached. Translates to the Access-Control-Max-Age header.</p>
+cached. Translates to the <code>Access-Control-Max-Age</code> header.</p>
 
 </td>
 </tr>
@@ -358,7 +358,7 @@ <h2 id="CorsPolicy">CorsPolicy</h2>
 <td>
 <p>Indicates whether the caller is allowed to send the actual request
 (not the preflight) using credentials. Translates to
-Access-Control-Allow-Credentials header.</p>
+<code>Access-Control-Allow-Credentials</code> header.</p>
 
 </td>
 </tr>
@@ -1694,8 +1694,8 @@ <h2 id="HTTPRetry">HTTPRetry</h2>
 <p>Specifies the conditions under which retry takes place.
 One or more policies can be specified using a ‘,’ delimited list.
 The supported policies can be found in
-&ldquo;https://www.envoyproxy.io/docs/envoy/latest/configuration/http<em>filters/router</em>filter#x-envoy-retry-on&rdquo;
-and &ldquo;https://www.envoyproxy.io/docs/envoy/latest/configuration/http<em>filters/router</em>filter#x-envoy-retry-grpc-on&rdquo;</p>
+<a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-on">https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-on</a>
+and <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-grpc-on">https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-grpc-on</a></p>
 
 </td>
 </tr>
@@ -3300,7 +3300,7 @@ <h2 id="ServiceEntry">ServiceEntry</h2>
   - address: unix:///var/run/example/socket
 </code></pre>
 
-<p>For HTTP based services, it is possible to create a VirtualService
+<p>For HTTP-based services, it is possible to create a VirtualService
 backed by multiple DNS addressable endpoints. In such a scenario, the
 application can use the HTTP_PROXY environment variable to transparently
 reroute API calls for the VirtualService to a chosen backend. For
@@ -3333,10 +3333,10 @@ <h2 id="ServiceEntry">ServiceEntry</h2>
       https: 7080
 </code></pre>
 
-<p>With HTTP_PROXY=http://localhost/, calls from the application to
-http://foo.bar.com will be load balanced across the three domains
-specified above. In other words, a call to http://foo.bar.com/baz would
-be translated to http://uk.foo.bar.com/baz.</p>
+<p>With <code>HTTP_PROXY=http://localhost/</code>, calls from the application to
+<code>http://foo.bar.com</code> will be load balanced across the three domains
+specified above. In other words, a call to <code>http://foo.bar.com/baz</code> would
+be translated to <code>http://uk.foo.bar.com/baz</code>.</p>
 
 <table class="message-fields">
 <thead>
diff --git a/networking/v1alpha3/service_entry.pb.go b/networking/v1alpha3/service_entry.pb.go
index 2642cde348..47f0813a73 100644
--- a/networking/v1alpha3/service_entry.pb.go
+++ b/networking/v1alpha3/service_entry.pb.go
@@ -324,7 +324,7 @@ func (ServiceEntry_Resolution) EnumDescriptor() ([]byte, []int) {
 //   - address: unix:///var/run/example/socket
 // ```
 //
-// For HTTP based services, it is possible to create a VirtualService
+// For HTTP-based services, it is possible to create a VirtualService
 // backed by multiple DNS addressable endpoints. In such a scenario, the
 // application can use the HTTP_PROXY environment variable to transparently
 // reroute API calls for the VirtualService to a chosen backend. For
@@ -358,10 +358,10 @@ func (ServiceEntry_Resolution) EnumDescriptor() ([]byte, []int) {
 //       https: 7080
 // ```
 //
-// With HTTP_PROXY=http://localhost/, calls from the application to
-// http://foo.bar.com will be load balanced across the three domains
-// specified above. In other words, a call to http://foo.bar.com/baz would
-// be translated to http://uk.foo.bar.com/baz.
+// With `HTTP_PROXY=http://localhost/`, calls from the application to
+// `http://foo.bar.com` will be load balanced across the three domains
+// specified above. In other words, a call to `http://foo.bar.com/baz` would
+// be translated to `http://uk.foo.bar.com/baz`.
 //
 type ServiceEntry struct {
 	// REQUIRED. The hosts associated with the ServiceEntry. Could be a DNS
diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto
index b4f16f8b34..7c200a59aa 100644
--- a/networking/v1alpha3/service_entry.proto
+++ b/networking/v1alpha3/service_entry.proto
@@ -246,7 +246,7 @@ option go_package = "istio.io/api/networking/v1alpha3";
 //   - address: unix:///var/run/example/socket
 // ```
 //
-// For HTTP based services, it is possible to create a VirtualService
+// For HTTP-based services, it is possible to create a VirtualService
 // backed by multiple DNS addressable endpoints. In such a scenario, the
 // application can use the HTTP_PROXY environment variable to transparently
 // reroute API calls for the VirtualService to a chosen backend. For
@@ -280,10 +280,10 @@ option go_package = "istio.io/api/networking/v1alpha3";
 //       https: 7080
 // ```
 //
-// With HTTP_PROXY=http://localhost/, calls from the application to
-// http://foo.bar.com will be load balanced across the three domains
-// specified above. In other words, a call to http://foo.bar.com/baz would
-// be translated to http://uk.foo.bar.com/baz.
+// With `HTTP_PROXY=http://localhost/`, calls from the application to
+// `http://foo.bar.com` will be load balanced across the three domains
+// specified above. In other words, a call to `http://foo.bar.com/baz` would
+// be translated to `http://uk.foo.bar.com/baz`.
 //
 message ServiceEntry {
   // REQUIRED. The hosts associated with the ServiceEntry. Could be a DNS
@@ -371,7 +371,7 @@ message ServiceEntry {
 
   // REQUIRED: Service discovery mode for the hosts. Care must be taken
   // when setting the resolution mode to NONE for a TCP port without
-  // accompanying IP addresses. In such cases, traffic to any IP on 
+  // accompanying IP addresses. In such cases, traffic to any IP on
   // said port will be allowed (i.e. 0.0.0.0:<port>).
   Resolution resolution = 5;
 
diff --git a/networking/v1alpha3/virtual_service.pb.go b/networking/v1alpha3/virtual_service.pb.go
index 0e2c10eb3c..f5ddde8588 100644
--- a/networking/v1alpha3/virtual_service.pb.go
+++ b/networking/v1alpha3/virtual_service.pb.go
@@ -1485,8 +1485,8 @@ type HTTPRetry struct {
 	// Specifies the conditions under which retry takes place.
 	// One or more policies can be specified using a ‘,’ delimited list.
 	// The supported policies can be found in
-	// "https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-on"
-	// and "https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-grpc-on"
+	// <https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-on>
+	// and <https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-grpc-on>
 	RetryOn string `protobuf:"bytes,3,opt,name=retry_on,json=retryOn,proto3" json:"retry_on,omitempty"`
 }
 
@@ -1518,12 +1518,12 @@ func (m *HTTPRetry) GetRetryOn() string {
 
 // Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
 // service. Refer to
-// https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
+// <https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS>
 // for further details about cross origin resource sharing. For example,
 // the following rule restricts cross origin requests to those originating
 // from example.com domain using HTTP POST/GET, and sets the
-// Access-Control-Allow-Credentials header to false. In addition, it only
-// exposes X-Foo-bar header and sets an expiry period of 1 day.
+// `Access-Control-Allow-Credentials` header to false. In addition, it only
+// exposes `X-Foo-bar` header and sets an expiry period of 1 day.
 //
 // ```yaml
 // apiVersion: networking.istio.io/v1alpha3
@@ -1565,11 +1565,11 @@ type CorsPolicy struct {
 	// access. Serialized into Access-Control-Expose-Headers header.
 	ExposeHeaders []string `protobuf:"bytes,4,rep,name=expose_headers,json=exposeHeaders" json:"expose_headers,omitempty"`
 	// Specifies how long the results of a preflight request can be
-	// cached. Translates to the Access-Control-Max-Age header.
+	// cached. Translates to the `Access-Control-Max-Age` header.
 	MaxAge *google_protobuf.Duration `protobuf:"bytes,5,opt,name=max_age,json=maxAge" json:"max_age,omitempty"`
 	// Indicates whether the caller is allowed to send the actual request
 	// (not the preflight) using credentials. Translates to
-	// Access-Control-Allow-Credentials header.
+	// `Access-Control-Allow-Credentials` header.
 	AllowCredentials *google_protobuf1.BoolValue `protobuf:"bytes,6,opt,name=allow_credentials,json=allowCredentials" json:"allow_credentials,omitempty"`
 }
 
diff --git a/networking/v1alpha3/virtual_service.proto b/networking/v1alpha3/virtual_service.proto
index 860c614246..9efd014cea 100644
--- a/networking/v1alpha3/virtual_service.proto
+++ b/networking/v1alpha3/virtual_service.proto
@@ -908,19 +908,19 @@ message HTTPRetry {
   // Specifies the conditions under which retry takes place.
   // One or more policies can be specified using a ‘,’ delimited list.
   // The supported policies can be found in
-  // "https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-on"
-  // and "https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-grpc-on"
+  // <https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-on>
+  // and <https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-grpc-on>
   string retry_on = 3;
 }
 
 // Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
 // service. Refer to
-// https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
+// <https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS>
 // for further details about cross origin resource sharing. For example,
 // the following rule restricts cross origin requests to those originating
 // from example.com domain using HTTP POST/GET, and sets the
-// Access-Control-Allow-Credentials header to false. In addition, it only
-// exposes X-Foo-bar header and sets an expiry period of 1 day.
+// `Access-Control-Allow-Credentials` header to false. In addition, it only
+// exposes `X-Foo-bar` header and sets an expiry period of 1 day.
 //
 // ```yaml
 // apiVersion: networking.istio.io/v1alpha3
@@ -966,12 +966,12 @@ message CorsPolicy {
   repeated string expose_headers = 4;
 
   // Specifies how long the results of a preflight request can be
-  // cached. Translates to the Access-Control-Max-Age header.
+  // cached. Translates to the `Access-Control-Max-Age` header.
   google.protobuf.Duration max_age = 5;
 
   // Indicates whether the caller is allowed to send the actual request
   // (not the preflight) using credentials. Translates to
-  // Access-Control-Allow-Credentials header.
+  // `Access-Control-Allow-Credentials` header.
   google.protobuf.BoolValue allow_credentials = 6;
 }
 

From aa7083e8826b9dd1dbb4a5f718ac470dbc5bda0a Mon Sep 17 00:00:00 2001
From: Jason Young <jasonyoung@google.com>
Date: Wed, 9 Jan 2019 10:31:45 -0800
Subject: [PATCH 2/4] Introduce forward looking MCP enhancements (#741)

* Introduce forward looking MCP enhancements

The initial version of Mesh Configuration Protocol (MCP) was
introduced to decouple Pilot/Mixer from the k8s kube-apiserver. These
enhancements address additional forward looking requirements as we
bring Galley and the MCP API to beta quality.

* Enable alternative control topologies where the source of
  configuration is not publicly accessible.

* Provide a feedback mechanism to report the observed config state to
  the user (e.g via CRD status).

* Improve performance at scale (e.g. Enterprise use case)

* Rationalize the resource model

The intent is to introduce these backwards incompatible API changes
now before Galley and MCP ship as beta quality and on-by-default.

Rationalization of the resource model and incremental improvements can
be implemented immediately as they effect the contract between Pilot
and Galley. Alternative control topologies and feedback/status are
inherently new features and can be implemented later with the same
APIs without concerns of breaking compatibility.

Design proposal: https://goo.gl/RTKMwF

* fix linter error

* add missing generated file

* proto-commit

* remove python/istio_api/mcp/v1alpha1/envelope_pb2.py

* s/envelope/resource

* s/client/node

* make proto-commit

* fix comments

* add system_version_info for compatibility with non-incremental MCP

* address review comments

* s/node/sink_node

* address more review comments

* update resource name documentation
---
 .gitattributes                                |    2 +
 mcp/v1alpha1/istio.mcp.v1alpha1.pb.html       |  395 +++-
 mcp/v1alpha1/mcp.pb.go                        | 1859 ++++++++++++++---
 mcp/v1alpha1/mcp.proto                        |  142 +-
 mcp/v1alpha1/metadata.pb.go                   |  400 +++-
 mcp/v1alpha1/metadata.proto                   |   49 +-
 .../{envelope.pb.go => resource.pb.go}        |  160 +-
 .../{envelope.proto => resource.proto}        |   10 +-
 proto.lock                                    |  184 +-
 prototool.yaml                                |    3 +
 python/istio_api/mcp/v1alpha1/mcp_pb2.py      |  369 +++-
 python/istio_api/mcp/v1alpha1/metadata_pb2.py |  123 +-
 .../{envelope_pb2.py => resource_pb2.py}      |   34 +-
 13 files changed, 3094 insertions(+), 636 deletions(-)
 create mode 100644 .gitattributes
 rename mcp/v1alpha1/{envelope.pb.go => resource.pb.go} (56%)
 rename mcp/v1alpha1/{envelope.proto => resource.proto} (79%)
 rename python/istio_api/mcp/v1alpha1/{envelope_pb2.py => resource_pb2.py} (65%)

diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000000..1db2bfabfe
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,2 @@
+*.pb.go linguist-generated=true
+*.pb.html linguist-generated=true
diff --git a/mcp/v1alpha1/istio.mcp.v1alpha1.pb.html b/mcp/v1alpha1/istio.mcp.v1alpha1.pb.html
index 48999418da..bcee77a76a 100644
--- a/mcp/v1alpha1/istio.mcp.v1alpha1.pb.html
+++ b/mcp/v1alpha1/istio.mcp.v1alpha1.pb.html
@@ -2,7 +2,7 @@
 title: istio.mcp.v1alpha1
 layout: protoc-gen-docs
 generator: protoc-gen-docs
-number_of_entries: 9
+number_of_entries: 13
 ---
 <p>This package defines the common, core types used by the Mesh Configuration Protocol.</p>
 
@@ -27,76 +27,31 @@ <h3 id="AggregatedMeshConfigService">AggregatedMeshConfigService</h3>
 scalability of MCP resources.</p>
 
 </section>
-<h2 id="Types">Types</h2>
-<h3 id="Client">Client</h3>
+<h3 id="ResourceSink">ResourceSink</h3>
 <section>
-<p>Identifies a specific MCP client instance. The client identifier is
-presented to the management server, which may use this identifier
-to distinguish per client configuration for serving. This
-information is not authoriative. Authoritative identity should come
-from the underlying transport layer (e.g. rpc credentials).</p>
+<p>Service where the source is the gRPC client. The source is responsible for
+initiating connections and opening streams.</p>
 
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr id="Client-id">
-<td><code>id</code></td>
-<td><code>string</code></td>
-<td>
-<p>An opaque identifier for the MCP client.</p>
-
-</td>
-</tr>
-<tr id="Client-metadata">
-<td><code>metadata</code></td>
-<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">google.protobuf.Struct</a></code></td>
-<td>
-<p>Opaque metadata extending the client identifier.</p>
+<pre id="ResourceSink-EstablishResourceStream"><code class="language-proto">rpc EstablishResourceStream(Resources) returns (RequestResources)
+</code></pre>
+<p>The source, acting as gRPC client, establishes a new resource stream
+with the sink. The sink sends RequestResources message to and
+receives Resources messages from the source.</p>
 
-</td>
-</tr>
-</tbody>
-</table>
 </section>
-<h3 id="Envelope">Envelope</h3>
+<h3 id="ResourceSource">ResourceSource</h3>
 <section>
-<p>Envelope for a configuration resource as transferred via the Mesh Configuration Protocol.
-Each envelope is made up of common metadata, and a type-specific resource payload.</p>
-
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr id="Envelope-metadata">
-<td><code>metadata</code></td>
-<td><code><a href="#Metadata">Metadata</a></code></td>
-<td>
-<p>Common metadata describing the resource.</p>
+<p>Service where the sink is the gRPC client. The sink is responsible for
+initiating connections and opening streams.</p>
 
-</td>
-</tr>
-<tr id="Envelope-resource">
-<td><code>resource</code></td>
-<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#any">google.protobuf.Any</a></code></td>
-<td>
-<p>The resource itself.</p>
+<pre id="ResourceSource-EstablishResourceStream"><code class="language-proto">rpc EstablishResourceStream(RequestResources) returns (Resources)
+</code></pre>
+<p>The sink, acting as gRPC client, establishes a new resource stream
+with the source. The sink sends RequestResources message to
+and receives Resources messages from the source.</p>
 
-</td>
-</tr>
-</tbody>
-</table>
 </section>
+<h2 id="Types">Types</h2>
 <h3 id="IncrementalMeshConfigRequest">IncrementalMeshConfigRequest</h3>
 <section>
 <p>IncrementalMeshConfigRequest are be sent in 2 situations:</p>
@@ -118,11 +73,11 @@ <h3 id="IncrementalMeshConfigRequest">IncrementalMeshConfigRequest</h3>
 </tr>
 </thead>
 <tbody>
-<tr id="IncrementalMeshConfigRequest-client">
-<td><code>client</code></td>
-<td><code><a href="#Client">Client</a></code></td>
+<tr id="IncrementalMeshConfigRequest-sink_node">
+<td><code>sinkNode</code></td>
+<td><code><a href="#SinkNode">SinkNode</a></code></td>
 <td>
-<p>The client making the request.</p>
+<p>The sink node making the request.</p>
 
 </td>
 </tr>
@@ -203,11 +158,11 @@ <h3 id="IncrementalMeshConfigResponse">IncrementalMeshConfigResponse</h3>
 
 </td>
 </tr>
-<tr id="IncrementalMeshConfigResponse-envelopes">
-<td><code>envelopes</code></td>
-<td><code><a href="#Envelope">Envelope[]</a></code></td>
+<tr id="IncrementalMeshConfigResponse-resources">
+<td><code>resources</code></td>
+<td><code><a href="#Resource">Resource[]</a></code></td>
 <td>
-<p>The response resources wrapped in the common MCP <em>Envelope</em>
+<p>The response resources wrapped in the common MCP <em>Resource</em>
 message. These are typed resources that match the type url in the
 IncrementalMeshConfigRequest.</p>
 
@@ -265,11 +220,11 @@ <h3 id="MeshConfigRequest">MeshConfigRequest</h3>
 
 </td>
 </tr>
-<tr id="MeshConfigRequest-client">
-<td><code>client</code></td>
-<td><code><a href="#Client">Client</a></code></td>
+<tr id="MeshConfigRequest-sink_node">
+<td><code>sinkNode</code></td>
+<td><code><a href="#SinkNode">SinkNode</a></code></td>
 <td>
-<p>The client making the request.</p>
+<p>The sink node making the request.</p>
 
 </td>
 </tr>
@@ -331,11 +286,11 @@ <h3 id="MeshConfigResponse">MeshConfigResponse</h3>
 
 </td>
 </tr>
-<tr id="MeshConfigResponse-envelopes">
-<td><code>envelopes</code></td>
-<td><code><a href="#Envelope">Envelope[]</a></code></td>
+<tr id="MeshConfigResponse-resources">
+<td><code>resources</code></td>
+<td><code><a href="#Resource">Resource[]</a></code></td>
 <td>
-<p>The response resources wrapped in the common MCP <em>Envelope</em>
+<p>The response resources wrapped in the common MCP <em>Resource</em>
 message.</p>
 
 </td>
@@ -344,9 +299,9 @@ <h3 id="MeshConfigResponse">MeshConfigResponse</h3>
 <td><code>typeUrl</code></td>
 <td><code>string</code></td>
 <td>
-<p>Type URL for resources wrapped in the provided envelope(s). This
+<p>Type URL for resources wrapped in the provided resources(s). This
 must be consistent with the type_url in the wrapper messages if
-envelopes is non-empty.</p>
+resources is non-empty.</p>
 
 </td>
 </tr>
@@ -385,10 +340,38 @@ <h3 id="Metadata">Metadata</h3>
 <td><code>name</code></td>
 <td><code>string</code></td>
 <td>
-<p>The name of the resource. It is unique within the context of a
-resource type and the origin server of the resource. The resource
-type is identified by the TypeUrl of the resource field of the
-Envelope message.</p>
+<p>Fully qualified name of the resource. Unique in context of a collection.</p>
+
+<p>The fully qualified name consists of a directory and basename. The directory identifies
+the resources location in a resource hierarchy. The basename identifies the specific
+resource name within the context of that directory.</p>
+
+<p>The directory and basename are composed of one or more segments. Segments must be
+valid <a href="https://tools.ietf.org/html/rfc1123">DNS labels</a>. “/” is the delimiter between
+segments</p>
+
+<p>The rightmost segment is the basename. All segments to the
+left of the basename form the directory. Segments moving towards the left
+represent higher positions in the resource hierarchy, similar to reverse
+DNS notation. e.g.</p>
+
+<p>/<org>/<team>/<subteam>/<resource basename></p>
+
+<p>An empty directory indicates a resource that is located at the root of the
+hierarchy, e.g.</p>
+
+<p>/<globally scoped resource></p>
+
+<p>On Kubernetes the resource hierarchy is two-levels: namespaces and
+cluster-scoped (i.e. global).</p>
+
+<p>Namespace resources fully qualified name is of the form:</p>
+
+<p>&rdquo;/<k8s namespace>/<k8s resource name>&ldquo;</p>
+
+<p>Cluster scoped resources are located at the root of the hierarchy and are of the form:</p>
+
+<p>&rdquo;/<k8s resource name>&ldquo;</p>
 
 </td>
 </tr>
@@ -404,8 +387,246 @@ <h3 id="Metadata">Metadata</h3>
 <td><code>version</code></td>
 <td><code>string</code></td>
 <td>
-<p>The resource level version. It allows MCP to track the state of
-individual resources.</p>
+<p>Resource version. This is used to determine when resources change across
+resource updates. It should be treated as opaque by consumers/sinks.</p>
+
+</td>
+</tr>
+<tr id="Metadata-labels">
+<td><code>labels</code></td>
+<td><code>map&lt;string,&nbsp;string&gt;</code></td>
+<td>
+<p>Map of string keys and values that can be used to organize and categorize
+resources within a collection.</p>
+
+</td>
+</tr>
+<tr id="Metadata-annotations">
+<td><code>annotations</code></td>
+<td><code>map&lt;string,&nbsp;string&gt;</code></td>
+<td>
+<p>Map of string keys and values that can be used by source and sink to communicate
+arbitrary metadata about this resource.</p>
+
+</td>
+</tr>
+</tbody>
+</table>
+</section>
+<h3 id="RequestResources">RequestResources</h3>
+<section>
+<p>A RequestResource can be sent in two situations:</p>
+
+<p>Initial message in an MCP bidirectional change stream
+as an ACK or NACK response to a previous Resources. In
+this case the response<em>nonce is set to the nonce value
+in the Resources. ACK/NACK is determined by the presence
+of error</em>detail.</p>
+
+<ul>
+<li>ACK  (nonce!=&ldquo;&rdquo;,error_details==nil)</li>
+<li>NACK (nonce!=&ldquo;&rdquo;,error_details!=nil)</li>
+<li>New/Update request (nonce==&ldquo;&rdquo;,error_details ignored)</li>
+</ul>
+
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Type</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="RequestResources-sink_node">
+<td><code>sinkNode</code></td>
+<td><code><a href="#SinkNode">SinkNode</a></code></td>
+<td>
+<p>The sink node making the request.</p>
+
+</td>
+</tr>
+<tr id="RequestResources-collection">
+<td><code>collection</code></td>
+<td><code>string</code></td>
+<td>
+<p>Type of resource collection that is being requested, e.g.</p>
+
+<p>istio/networking/v1alpha3/VirtualService
+k8s/<apiVersion>/<kind></p>
+
+</td>
+</tr>
+<tr id="RequestResources-initial_resource_versions">
+<td><code>initialResourceVersions</code></td>
+<td><code>map&lt;string,&nbsp;string&gt;</code></td>
+<td>
+<p>When the RequestResources is the first in a stream, the initial<em>resource</em>versions must
+be populated. Otherwise, initial<em>resource</em>versions must be omitted. The keys are the
+resources names of the MCP resources known to the MCP client. The values in the map
+are the associated resource level version info.</p>
+
+</td>
+</tr>
+<tr id="RequestResources-response_nonce">
+<td><code>responseNonce</code></td>
+<td><code>string</code></td>
+<td>
+<p>When the RequestResources is an ACK or NACK message in response to a previous RequestResources,
+the response<em>nonce must be the nonce in the RequestResources. Otherwise response</em>nonce must
+be omitted.</p>
+
+</td>
+</tr>
+<tr id="RequestResources-error_detail">
+<td><code>errorDetail</code></td>
+<td><code><a href="#google-rpc-Status">google.rpc.Status</a></code></td>
+<td>
+<p>This is populated when the previously received resources could not be applied
+The <em>message</em> field in <em>error_details</em> provides the source internal error
+related to the failure.</p>
+
+</td>
+</tr>
+</tbody>
+</table>
+</section>
+<h3 id="Resource">Resource</h3>
+<section>
+<p>Resource as transferred via the Mesh Configuration Protocol. Each
+resource is made up of common metadata, and a type-specific resource payload.</p>
+
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Type</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="Resource-metadata">
+<td><code>metadata</code></td>
+<td><code><a href="#Metadata">Metadata</a></code></td>
+<td>
+<p>Common metadata describing the resource.</p>
+
+</td>
+</tr>
+<tr id="Resource-body">
+<td><code>body</code></td>
+<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#any">google.protobuf.Any</a></code></td>
+<td>
+<p>The primary payload for the resource.</p>
+
+</td>
+</tr>
+</tbody>
+</table>
+</section>
+<h3 id="Resources">Resources</h3>
+<section>
+<p>Resources do not need to include a full snapshot of the tracked
+resources. Instead they are a diff to the state of a MCP client.
+Per resource versions allow sources and sinks to track state at
+the resource granularity. An MCP incremental session is always
+in the context of a gRPC bidirectional stream. This allows the
+MCP source to keep track of the state of MCP sink connected to
+it.</p>
+
+<p>In Incremental MCP the nonce field is required and used to pair
+Resources to an RequestResources ACK or NACK.</p>
+
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Type</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="Resources-system_version_info">
+<td><code>systemVersionInfo</code></td>
+<td><code>string</code></td>
+<td>
+<p>The version of the response data (used for debugging).</p>
+
+</td>
+</tr>
+<tr id="Resources-collection">
+<td><code>collection</code></td>
+<td><code>string</code></td>
+<td>
+<p>Type of resource collection that is being requested, e.g.</p>
+
+<p>istio/networking/v1alpha3/VirtualService
+k8s/<apiVersion>/<kind></p>
+
+</td>
+</tr>
+<tr id="Resources-resources">
+<td><code>resources</code></td>
+<td><code><a href="#Resource">Resource[]</a></code></td>
+<td>
+<p>The response resources wrapped in the common MCP <em>Resource</em> message.
+These are typed resources that match the type url in the
+RequestResources message.</p>
+
+</td>
+</tr>
+<tr id="Resources-removed_resources">
+<td><code>removedResources</code></td>
+<td><code>string[]</code></td>
+<td>
+<p>Names of resources that have been deleted and to be
+removed from the MCP sink node. Removed resources for missing
+resources can be ignored.</p>
+
+</td>
+</tr>
+<tr id="Resources-nonce">
+<td><code>nonce</code></td>
+<td><code>string</code></td>
+<td>
+<p>Required. The nonce provides a way for RequestChange to uniquely
+reference a RequestResources.</p>
+
+</td>
+</tr>
+</tbody>
+</table>
+</section>
+<h3 id="SinkNode">SinkNode</h3>
+<section>
+<p>Identifies a specific MCP sink node instance. The node identifier is
+presented to the resource source, which may use this identifier
+to distinguish per sink configuration for serving. This
+information is not authoritative. Authoritative identity should come
+from the underlying transport layer (e.g. rpc credentials).</p>
+
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Type</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="SinkNode-id">
+<td><code>id</code></td>
+<td><code>string</code></td>
+<td>
+<p>An opaque identifier for the MCP node.</p>
+
+</td>
+</tr>
+<tr id="SinkNode-annotations">
+<td><code>annotations</code></td>
+<td><code>map&lt;string,&nbsp;string&gt;</code></td>
+<td>
+<p>Opaque annotations extending the node identifier.</p>
 
 </td>
 </tr>
diff --git a/mcp/v1alpha1/mcp.pb.go b/mcp/v1alpha1/mcp.pb.go
index b8b77efd4a..764783c4da 100644
--- a/mcp/v1alpha1/mcp.pb.go
+++ b/mcp/v1alpha1/mcp.pb.go
@@ -1,12 +1,30 @@
 // Code generated by protoc-gen-gogo. DO NOT EDIT.
 // source: mcp/v1alpha1/mcp.proto
 
+/*
+	Package v1alpha1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		mcp/v1alpha1/mcp.proto
+		mcp/v1alpha1/metadata.proto
+		mcp/v1alpha1/resource.proto
+
+	It has these top-level messages:
+		SinkNode
+		MeshConfigRequest
+		MeshConfigResponse
+		IncrementalMeshConfigRequest
+		IncrementalMeshConfigResponse
+		RequestResources
+		Resources
+		Metadata
+		Resource
+*/
 package v1alpha1
 
 import proto "github.com/gogo/protobuf/proto"
 import fmt "fmt"
 import math "math"
-import google_protobuf3 "github.com/gogo/protobuf/types"
 import google_rpc "github.com/gogo/googleapis/google/rpc"
 import _ "github.com/gogo/protobuf/gogoproto"
 
@@ -20,33 +38,39 @@ var _ = proto.Marshal
 var _ = fmt.Errorf
 var _ = math.Inf
 
-// Identifies a specific MCP client instance. The client identifier is
-// presented to the management server, which may use this identifier
-// to distinguish per client configuration for serving. This
-// information is not authoriative. Authoritative identity should come
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+// Identifies a specific MCP sink node instance. The node identifier is
+// presented to the resource source, which may use this identifier
+// to distinguish per sink configuration for serving. This
+// information is not authoritative. Authoritative identity should come
 // from the underlying transport layer (e.g. rpc credentials).
-type Client struct {
-	// An opaque identifier for the MCP client.
+type SinkNode struct {
+	// An opaque identifier for the MCP node.
 	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
-	// Opaque metadata extending the client identifier.
-	Metadata *google_protobuf3.Struct `protobuf:"bytes,2,opt,name=metadata" json:"metadata,omitempty"`
+	// Opaque annotations extending the node identifier.
+	Annotations map[string]string `protobuf:"bytes,2,rep,name=annotations" json:"annotations,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
 }
 
-func (m *Client) Reset()                    { *m = Client{} }
-func (m *Client) String() string            { return proto.CompactTextString(m) }
-func (*Client) ProtoMessage()               {}
-func (*Client) Descriptor() ([]byte, []int) { return fileDescriptorMcp, []int{0} }
+func (m *SinkNode) Reset()                    { *m = SinkNode{} }
+func (m *SinkNode) String() string            { return proto.CompactTextString(m) }
+func (*SinkNode) ProtoMessage()               {}
+func (*SinkNode) Descriptor() ([]byte, []int) { return fileDescriptorMcp, []int{0} }
 
-func (m *Client) GetId() string {
+func (m *SinkNode) GetId() string {
 	if m != nil {
 		return m.Id
 	}
 	return ""
 }
 
-func (m *Client) GetMetadata() *google_protobuf3.Struct {
+func (m *SinkNode) GetAnnotations() map[string]string {
 	if m != nil {
-		return m.Metadata
+		return m.Annotations
 	}
 	return nil
 }
@@ -63,8 +87,8 @@ type MeshConfigRequest struct {
 	// the previous API config version respectively. Each type_url (see
 	// below) has an independent version associated with it.
 	VersionInfo string `protobuf:"bytes,1,opt,name=version_info,json=versionInfo,proto3" json:"version_info,omitempty"`
-	// The client making the request.
-	Client *Client `protobuf:"bytes,2,opt,name=client" json:"client,omitempty"`
+	// The sink node making the request.
+	SinkNode *SinkNode `protobuf:"bytes,2,opt,name=sink_node,json=sinkNode" json:"sink_node,omitempty"`
 	// Type of the resource that is being requested, e.g.
 	// "type.googleapis.com/istio.io.networking.v1alpha3.VirtualService".
 	TypeUrl string `protobuf:"bytes,3,opt,name=type_url,json=typeUrl,proto3" json:"type_url,omitempty"`
@@ -94,9 +118,9 @@ func (m *MeshConfigRequest) GetVersionInfo() string {
 	return ""
 }
 
-func (m *MeshConfigRequest) GetClient() *Client {
+func (m *MeshConfigRequest) GetSinkNode() *SinkNode {
 	if m != nil {
-		return m.Client
+		return m.SinkNode
 	}
 	return nil
 }
@@ -127,12 +151,12 @@ func (m *MeshConfigRequest) GetErrorDetail() *google_rpc.Status {
 type MeshConfigResponse struct {
 	// The version of the response data.
 	VersionInfo string `protobuf:"bytes,1,opt,name=version_info,json=versionInfo,proto3" json:"version_info,omitempty"`
-	// The response resources wrapped in the common MCP *Envelope*
+	// The response resources wrapped in the common MCP *Resource*
 	// message.
-	Envelopes []Envelope `protobuf:"bytes,2,rep,name=envelopes" json:"envelopes"`
-	// Type URL for resources wrapped in the provided envelope(s). This
+	Resources []Resource `protobuf:"bytes,2,rep,name=resources" json:"resources"`
+	// Type URL for resources wrapped in the provided resources(s). This
 	// must be consistent with the type_url in the wrapper messages if
-	// envelopes is non-empty.
+	// resources is non-empty.
 	TypeUrl string `protobuf:"bytes,3,opt,name=type_url,json=typeUrl,proto3" json:"type_url,omitempty"`
 	// The nonce provides a way to explicitly ack a specific
 	// MeshConfigResponse in a following MeshConfigRequest. Additional
@@ -157,9 +181,9 @@ func (m *MeshConfigResponse) GetVersionInfo() string {
 	return ""
 }
 
-func (m *MeshConfigResponse) GetEnvelopes() []Envelope {
+func (m *MeshConfigResponse) GetResources() []Resource {
 	if m != nil {
-		return m.Envelopes
+		return m.Resources
 	}
 	return nil
 }
@@ -186,8 +210,8 @@ func (m *MeshConfigResponse) GetNonce() string {
 //      In this case the response_nonce is set to the nonce value in the Response.
 //      ACK or NACK is determined by the absence or presence of error_detail.
 type IncrementalMeshConfigRequest struct {
-	// The client making the request.
-	Client *Client `protobuf:"bytes,1,opt,name=client" json:"client,omitempty"`
+	// The sink node making the request.
+	SinkNode *SinkNode `protobuf:"bytes,1,opt,name=sink_node,json=sinkNode" json:"sink_node,omitempty"`
 	// Type of the resource that is being requested, e.g.
 	// "type.googleapis.com/istio.io.networking.v1alpha3.VirtualService".
 	TypeUrl string `protobuf:"bytes,2,opt,name=type_url,json=typeUrl,proto3" json:"type_url,omitempty"`
@@ -213,9 +237,9 @@ func (m *IncrementalMeshConfigRequest) String() string            { return proto
 func (*IncrementalMeshConfigRequest) ProtoMessage()               {}
 func (*IncrementalMeshConfigRequest) Descriptor() ([]byte, []int) { return fileDescriptorMcp, []int{3} }
 
-func (m *IncrementalMeshConfigRequest) GetClient() *Client {
+func (m *IncrementalMeshConfigRequest) GetSinkNode() *SinkNode {
 	if m != nil {
-		return m.Client
+		return m.SinkNode
 	}
 	return nil
 }
@@ -263,10 +287,10 @@ func (m *IncrementalMeshConfigRequest) GetErrorDetail() *google_rpc.Status {
 type IncrementalMeshConfigResponse struct {
 	// The version of the response data (used for debugging).
 	SystemVersionInfo string `protobuf:"bytes,1,opt,name=system_version_info,json=systemVersionInfo,proto3" json:"system_version_info,omitempty"`
-	// The response resources wrapped in the common MCP *Envelope*
+	// The response resources wrapped in the common MCP *Resource*
 	// message. These are typed resources that match the type url in the
 	// IncrementalMeshConfigRequest.
-	Envelopes []Envelope `protobuf:"bytes,2,rep,name=envelopes" json:"envelopes"`
+	Resources []Resource `protobuf:"bytes,2,rep,name=resources" json:"resources"`
 	// Resources names of resources that have be deleted and to be
 	// removed from the MCP Client.  Removed resources for missing
 	// resources can be ignored.
@@ -289,9 +313,9 @@ func (m *IncrementalMeshConfigResponse) GetSystemVersionInfo() string {
 	return ""
 }
 
-func (m *IncrementalMeshConfigResponse) GetEnvelopes() []Envelope {
+func (m *IncrementalMeshConfigResponse) GetResources() []Resource {
 	if m != nil {
-		return m.Envelopes
+		return m.Resources
 	}
 	return nil
 }
@@ -310,21 +334,169 @@ func (m *IncrementalMeshConfigResponse) GetNonce() string {
 	return ""
 }
 
+// A RequestResource can be sent in two situations:
+//
+// Initial message in an MCP bidirectional change stream
+// as an ACK or NACK response to a previous Resources. In
+// this case the response_nonce is set to the nonce value
+// in the Resources. ACK/NACK is determined by the presence
+// of error_detail.
+//
+// * ACK  (nonce!="",error_details==nil)
+// * NACK (nonce!="",error_details!=nil)
+// * New/Update request (nonce=="",error_details ignored)
+//
+type RequestResources struct {
+	// The sink node making the request.
+	SinkNode *SinkNode `protobuf:"bytes,1,opt,name=sink_node,json=sinkNode" json:"sink_node,omitempty"`
+	// Type of resource collection that is being requested, e.g.
+	//
+	// istio/networking/v1alpha3/VirtualService
+	// k8s/<apiVersion>/<kind>
+	Collection string `protobuf:"bytes,2,opt,name=collection,proto3" json:"collection,omitempty"`
+	// When the RequestResources is the first in a stream, the initial_resource_versions must
+	// be populated. Otherwise, initial_resource_versions must be omitted. The keys are the
+	// resources names of the MCP resources known to the MCP client. The values in the map
+	// are the associated resource level version info.
+	InitialResourceVersions map[string]string `protobuf:"bytes,3,rep,name=initial_resource_versions,json=initialResourceVersions" json:"initial_resource_versions,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	// When the RequestResources is an ACK or NACK message in response to a previous RequestResources,
+	// the response_nonce must be the nonce in the RequestResources. Otherwise response_nonce must
+	// be omitted.
+	ResponseNonce string `protobuf:"bytes,4,opt,name=response_nonce,json=responseNonce,proto3" json:"response_nonce,omitempty"`
+	// This is populated when the previously received resources could not be applied
+	// The *message* field in *error_details* provides the source internal error
+	// related to the failure.
+	ErrorDetail *google_rpc.Status `protobuf:"bytes,5,opt,name=error_detail,json=errorDetail" json:"error_detail,omitempty"`
+}
+
+func (m *RequestResources) Reset()                    { *m = RequestResources{} }
+func (m *RequestResources) String() string            { return proto.CompactTextString(m) }
+func (*RequestResources) ProtoMessage()               {}
+func (*RequestResources) Descriptor() ([]byte, []int) { return fileDescriptorMcp, []int{5} }
+
+func (m *RequestResources) GetSinkNode() *SinkNode {
+	if m != nil {
+		return m.SinkNode
+	}
+	return nil
+}
+
+func (m *RequestResources) GetCollection() string {
+	if m != nil {
+		return m.Collection
+	}
+	return ""
+}
+
+func (m *RequestResources) GetInitialResourceVersions() map[string]string {
+	if m != nil {
+		return m.InitialResourceVersions
+	}
+	return nil
+}
+
+func (m *RequestResources) GetResponseNonce() string {
+	if m != nil {
+		return m.ResponseNonce
+	}
+	return ""
+}
+
+func (m *RequestResources) GetErrorDetail() *google_rpc.Status {
+	if m != nil {
+		return m.ErrorDetail
+	}
+	return nil
+}
+
+// Resources do not need to include a full snapshot of the tracked
+// resources. Instead they are a diff to the state of a MCP client.
+// Per resource versions allow sources and sinks to track state at
+// the resource granularity. An MCP incremental session is always
+// in the context of a gRPC bidirectional stream. This allows the
+// MCP source to keep track of the state of MCP sink connected to
+// it.
+//
+// In Incremental MCP the nonce field is required and used to pair
+// Resources to an RequestResources ACK or NACK.
+type Resources struct {
+	// The version of the response data (used for debugging).
+	SystemVersionInfo string `protobuf:"bytes,1,opt,name=system_version_info,json=systemVersionInfo,proto3" json:"system_version_info,omitempty"`
+	// Type of resource collection that is being requested, e.g.
+	//
+	// istio/networking/v1alpha3/VirtualService
+	// k8s/<apiVersion>/<kind>
+	Collection string `protobuf:"bytes,2,opt,name=collection,proto3" json:"collection,omitempty"`
+	// The response resources wrapped in the common MCP *Resource* message.
+	// These are typed resources that match the type url in the
+	// RequestResources message.
+	Resources []Resource `protobuf:"bytes,3,rep,name=resources" json:"resources"`
+	// Names of resources that have been deleted and to be
+	// removed from the MCP sink node. Removed resources for missing
+	// resources can be ignored.
+	RemovedResources []string `protobuf:"bytes,4,rep,name=removed_resources,json=removedResources" json:"removed_resources,omitempty"`
+	// Required. The nonce provides a way for RequestChange to uniquely
+	// reference a RequestResources.
+	Nonce string `protobuf:"bytes,5,opt,name=nonce,proto3" json:"nonce,omitempty"`
+}
+
+func (m *Resources) Reset()                    { *m = Resources{} }
+func (m *Resources) String() string            { return proto.CompactTextString(m) }
+func (*Resources) ProtoMessage()               {}
+func (*Resources) Descriptor() ([]byte, []int) { return fileDescriptorMcp, []int{6} }
+
+func (m *Resources) GetSystemVersionInfo() string {
+	if m != nil {
+		return m.SystemVersionInfo
+	}
+	return ""
+}
+
+func (m *Resources) GetCollection() string {
+	if m != nil {
+		return m.Collection
+	}
+	return ""
+}
+
+func (m *Resources) GetResources() []Resource {
+	if m != nil {
+		return m.Resources
+	}
+	return nil
+}
+
+func (m *Resources) GetRemovedResources() []string {
+	if m != nil {
+		return m.RemovedResources
+	}
+	return nil
+}
+
+func (m *Resources) GetNonce() string {
+	if m != nil {
+		return m.Nonce
+	}
+	return ""
+}
+
 func init() {
-	proto.RegisterType((*Client)(nil), "istio.mcp.v1alpha1.Client")
+	proto.RegisterType((*SinkNode)(nil), "istio.mcp.v1alpha1.SinkNode")
 	proto.RegisterType((*MeshConfigRequest)(nil), "istio.mcp.v1alpha1.MeshConfigRequest")
 	proto.RegisterType((*MeshConfigResponse)(nil), "istio.mcp.v1alpha1.MeshConfigResponse")
 	proto.RegisterType((*IncrementalMeshConfigRequest)(nil), "istio.mcp.v1alpha1.IncrementalMeshConfigRequest")
 	proto.RegisterType((*IncrementalMeshConfigResponse)(nil), "istio.mcp.v1alpha1.IncrementalMeshConfigResponse")
+	proto.RegisterType((*RequestResources)(nil), "istio.mcp.v1alpha1.RequestResources")
+	proto.RegisterType((*Resources)(nil), "istio.mcp.v1alpha1.Resources")
 }
-func (this *Client) Equal(that interface{}) bool {
+func (this *SinkNode) Equal(that interface{}) bool {
 	if that == nil {
 		return this == nil
 	}
 
-	that1, ok := that.(*Client)
+	that1, ok := that.(*SinkNode)
 	if !ok {
-		that2, ok := that.(Client)
+		that2, ok := that.(SinkNode)
 		if ok {
 			that1 = &that2
 		} else {
@@ -339,9 +511,14 @@ func (this *Client) Equal(that interface{}) bool {
 	if this.Id != that1.Id {
 		return false
 	}
-	if !this.Metadata.Equal(that1.Metadata) {
+	if len(this.Annotations) != len(that1.Annotations) {
 		return false
 	}
+	for i := range this.Annotations {
+		if this.Annotations[i] != that1.Annotations[i] {
+			return false
+		}
+	}
 	return true
 }
 func (this *MeshConfigRequest) Equal(that interface{}) bool {
@@ -366,7 +543,7 @@ func (this *MeshConfigRequest) Equal(that interface{}) bool {
 	if this.VersionInfo != that1.VersionInfo {
 		return false
 	}
-	if !this.Client.Equal(that1.Client) {
+	if !this.SinkNode.Equal(that1.SinkNode) {
 		return false
 	}
 	if this.TypeUrl != that1.TypeUrl {
@@ -402,11 +579,11 @@ func (this *MeshConfigResponse) Equal(that interface{}) bool {
 	if this.VersionInfo != that1.VersionInfo {
 		return false
 	}
-	if len(this.Envelopes) != len(that1.Envelopes) {
+	if len(this.Resources) != len(that1.Resources) {
 		return false
 	}
-	for i := range this.Envelopes {
-		if !this.Envelopes[i].Equal(&that1.Envelopes[i]) {
+	for i := range this.Resources {
+		if !this.Resources[i].Equal(&that1.Resources[i]) {
 			return false
 		}
 	}
@@ -437,7 +614,7 @@ func (this *IncrementalMeshConfigRequest) Equal(that interface{}) bool {
 	} else if this == nil {
 		return false
 	}
-	if !this.Client.Equal(that1.Client) {
+	if !this.SinkNode.Equal(that1.SinkNode) {
 		return false
 	}
 	if this.TypeUrl != that1.TypeUrl {
@@ -481,11 +658,98 @@ func (this *IncrementalMeshConfigResponse) Equal(that interface{}) bool {
 	if this.SystemVersionInfo != that1.SystemVersionInfo {
 		return false
 	}
-	if len(this.Envelopes) != len(that1.Envelopes) {
+	if len(this.Resources) != len(that1.Resources) {
+		return false
+	}
+	for i := range this.Resources {
+		if !this.Resources[i].Equal(&that1.Resources[i]) {
+			return false
+		}
+	}
+	if len(this.RemovedResources) != len(that1.RemovedResources) {
+		return false
+	}
+	for i := range this.RemovedResources {
+		if this.RemovedResources[i] != that1.RemovedResources[i] {
+			return false
+		}
+	}
+	if this.Nonce != that1.Nonce {
+		return false
+	}
+	return true
+}
+func (this *RequestResources) Equal(that interface{}) bool {
+	if that == nil {
+		return this == nil
+	}
+
+	that1, ok := that.(*RequestResources)
+	if !ok {
+		that2, ok := that.(RequestResources)
+		if ok {
+			that1 = &that2
+		} else {
+			return false
+		}
+	}
+	if that1 == nil {
+		return this == nil
+	} else if this == nil {
+		return false
+	}
+	if !this.SinkNode.Equal(that1.SinkNode) {
+		return false
+	}
+	if this.Collection != that1.Collection {
+		return false
+	}
+	if len(this.InitialResourceVersions) != len(that1.InitialResourceVersions) {
+		return false
+	}
+	for i := range this.InitialResourceVersions {
+		if this.InitialResourceVersions[i] != that1.InitialResourceVersions[i] {
+			return false
+		}
+	}
+	if this.ResponseNonce != that1.ResponseNonce {
+		return false
+	}
+	if !this.ErrorDetail.Equal(that1.ErrorDetail) {
+		return false
+	}
+	return true
+}
+func (this *Resources) Equal(that interface{}) bool {
+	if that == nil {
+		return this == nil
+	}
+
+	that1, ok := that.(*Resources)
+	if !ok {
+		that2, ok := that.(Resources)
+		if ok {
+			that1 = &that2
+		} else {
+			return false
+		}
+	}
+	if that1 == nil {
+		return this == nil
+	} else if this == nil {
+		return false
+	}
+	if this.SystemVersionInfo != that1.SystemVersionInfo {
+		return false
+	}
+	if this.Collection != that1.Collection {
+		return false
+	}
+	if len(this.Resources) != len(that1.Resources) {
 		return false
 	}
-	for i := range this.Envelopes {
-		if !this.Envelopes[i].Equal(&that1.Envelopes[i]) {
+	for i := range this.Resources {
+		if !this.Resources[i].Equal(&that1.Resources[i]) {
 			return false
 		}
 	}
@@ -686,122 +950,333 @@ var _AggregatedMeshConfigService_serviceDesc = grpc.ServiceDesc{
 	Metadata: "mcp/v1alpha1/mcp.proto",
 }
 
-func (m *Client) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalTo(dAtA)
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
+// Client API for ResourceSource service
+
+type ResourceSourceClient interface {
+	// The sink, acting as gRPC client, establishes a new resource stream
+	// with the source. The sink sends RequestResources message to
+	// and receives Resources messages from the source.
+	EstablishResourceStream(ctx context.Context, opts ...grpc.CallOption) (ResourceSource_EstablishResourceStreamClient, error)
 }
 
-func (m *Client) MarshalTo(dAtA []byte) (int, error) {
-	var i int
-	_ = i
-	var l int
-	_ = l
-	if len(m.Id) > 0 {
-		dAtA[i] = 0xa
-		i++
-		i = encodeVarintMcp(dAtA, i, uint64(len(m.Id)))
-		i += copy(dAtA[i:], m.Id)
-	}
-	if m.Metadata != nil {
-		dAtA[i] = 0x12
-		i++
-		i = encodeVarintMcp(dAtA, i, uint64(m.Metadata.Size()))
-		n1, err := m.Metadata.MarshalTo(dAtA[i:])
-		if err != nil {
-			return 0, err
-		}
-		i += n1
-	}
-	return i, nil
+type resourceSourceClient struct {
+	cc *grpc.ClientConn
 }
 
-func (m *MeshConfigRequest) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalTo(dAtA)
+func NewResourceSourceClient(cc *grpc.ClientConn) ResourceSourceClient {
+	return &resourceSourceClient{cc}
+}
+
+func (c *resourceSourceClient) EstablishResourceStream(ctx context.Context, opts ...grpc.CallOption) (ResourceSource_EstablishResourceStreamClient, error) {
+	stream, err := grpc.NewClientStream(ctx, &_ResourceSource_serviceDesc.Streams[0], c.cc, "/istio.mcp.v1alpha1.ResourceSource/EstablishResourceStream", opts...)
 	if err != nil {
 		return nil, err
 	}
-	return dAtA[:n], nil
+	x := &resourceSourceEstablishResourceStreamClient{stream}
+	return x, nil
 }
 
-func (m *MeshConfigRequest) MarshalTo(dAtA []byte) (int, error) {
-	var i int
-	_ = i
-	var l int
-	_ = l
-	if len(m.VersionInfo) > 0 {
-		dAtA[i] = 0xa
-		i++
-		i = encodeVarintMcp(dAtA, i, uint64(len(m.VersionInfo)))
-		i += copy(dAtA[i:], m.VersionInfo)
-	}
-	if m.Client != nil {
-		dAtA[i] = 0x12
-		i++
-		i = encodeVarintMcp(dAtA, i, uint64(m.Client.Size()))
-		n2, err := m.Client.MarshalTo(dAtA[i:])
-		if err != nil {
-			return 0, err
-		}
-		i += n2
-	}
-	if len(m.TypeUrl) > 0 {
-		dAtA[i] = 0x1a
-		i++
-		i = encodeVarintMcp(dAtA, i, uint64(len(m.TypeUrl)))
-		i += copy(dAtA[i:], m.TypeUrl)
-	}
-	if len(m.ResponseNonce) > 0 {
-		dAtA[i] = 0x22
-		i++
-		i = encodeVarintMcp(dAtA, i, uint64(len(m.ResponseNonce)))
-		i += copy(dAtA[i:], m.ResponseNonce)
-	}
-	if m.ErrorDetail != nil {
-		dAtA[i] = 0x2a
-		i++
-		i = encodeVarintMcp(dAtA, i, uint64(m.ErrorDetail.Size()))
-		n3, err := m.ErrorDetail.MarshalTo(dAtA[i:])
-		if err != nil {
-			return 0, err
-		}
-		i += n3
-	}
-	return i, nil
+type ResourceSource_EstablishResourceStreamClient interface {
+	Send(*RequestResources) error
+	Recv() (*Resources, error)
+	grpc.ClientStream
 }
 
-func (m *MeshConfigResponse) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalTo(dAtA)
-	if err != nil {
+type resourceSourceEstablishResourceStreamClient struct {
+	grpc.ClientStream
+}
+
+func (x *resourceSourceEstablishResourceStreamClient) Send(m *RequestResources) error {
+	return x.ClientStream.SendMsg(m)
+}
+
+func (x *resourceSourceEstablishResourceStreamClient) Recv() (*Resources, error) {
+	m := new(Resources)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
 		return nil, err
 	}
-	return dAtA[:n], nil
+	return m, nil
 }
 
-func (m *MeshConfigResponse) MarshalTo(dAtA []byte) (int, error) {
-	var i int
-	_ = i
-	var l int
-	_ = l
-	if len(m.VersionInfo) > 0 {
-		dAtA[i] = 0xa
-		i++
-		i = encodeVarintMcp(dAtA, i, uint64(len(m.VersionInfo)))
-		i += copy(dAtA[i:], m.VersionInfo)
-	}
-	if len(m.Envelopes) > 0 {
-		for _, msg := range m.Envelopes {
-			dAtA[i] = 0x12
-			i++
-			i = encodeVarintMcp(dAtA, i, uint64(msg.Size()))
+// Server API for ResourceSource service
+
+type ResourceSourceServer interface {
+	// The sink, acting as gRPC client, establishes a new resource stream
+	// with the source. The sink sends RequestResources message to
+	// and receives Resources messages from the source.
+	EstablishResourceStream(ResourceSource_EstablishResourceStreamServer) error
+}
+
+func RegisterResourceSourceServer(s *grpc.Server, srv ResourceSourceServer) {
+	s.RegisterService(&_ResourceSource_serviceDesc, srv)
+}
+
+func _ResourceSource_EstablishResourceStream_Handler(srv interface{}, stream grpc.ServerStream) error {
+	return srv.(ResourceSourceServer).EstablishResourceStream(&resourceSourceEstablishResourceStreamServer{stream})
+}
+
+type ResourceSource_EstablishResourceStreamServer interface {
+	Send(*Resources) error
+	Recv() (*RequestResources, error)
+	grpc.ServerStream
+}
+
+type resourceSourceEstablishResourceStreamServer struct {
+	grpc.ServerStream
+}
+
+func (x *resourceSourceEstablishResourceStreamServer) Send(m *Resources) error {
+	return x.ServerStream.SendMsg(m)
+}
+
+func (x *resourceSourceEstablishResourceStreamServer) Recv() (*RequestResources, error) {
+	m := new(RequestResources)
+	if err := x.ServerStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+var _ResourceSource_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "istio.mcp.v1alpha1.ResourceSource",
+	HandlerType: (*ResourceSourceServer)(nil),
+	Methods:     []grpc.MethodDesc{},
+	Streams: []grpc.StreamDesc{
+		{
+			StreamName:    "EstablishResourceStream",
+			Handler:       _ResourceSource_EstablishResourceStream_Handler,
+			ServerStreams: true,
+			ClientStreams: true,
+		},
+	},
+	Metadata: "mcp/v1alpha1/mcp.proto",
+}
+
+// Client API for ResourceSink service
+
+type ResourceSinkClient interface {
+	// The source, acting as gRPC client, establishes a new resource stream
+	// with the sink. The sink sends RequestResources message to and
+	// receives Resources messages from the source.
+	EstablishResourceStream(ctx context.Context, opts ...grpc.CallOption) (ResourceSink_EstablishResourceStreamClient, error)
+}
+
+type resourceSinkClient struct {
+	cc *grpc.ClientConn
+}
+
+func NewResourceSinkClient(cc *grpc.ClientConn) ResourceSinkClient {
+	return &resourceSinkClient{cc}
+}
+
+func (c *resourceSinkClient) EstablishResourceStream(ctx context.Context, opts ...grpc.CallOption) (ResourceSink_EstablishResourceStreamClient, error) {
+	stream, err := grpc.NewClientStream(ctx, &_ResourceSink_serviceDesc.Streams[0], c.cc, "/istio.mcp.v1alpha1.ResourceSink/EstablishResourceStream", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &resourceSinkEstablishResourceStreamClient{stream}
+	return x, nil
+}
+
+type ResourceSink_EstablishResourceStreamClient interface {
+	Send(*Resources) error
+	Recv() (*RequestResources, error)
+	grpc.ClientStream
+}
+
+type resourceSinkEstablishResourceStreamClient struct {
+	grpc.ClientStream
+}
+
+func (x *resourceSinkEstablishResourceStreamClient) Send(m *Resources) error {
+	return x.ClientStream.SendMsg(m)
+}
+
+func (x *resourceSinkEstablishResourceStreamClient) Recv() (*RequestResources, error) {
+	m := new(RequestResources)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+// Server API for ResourceSink service
+
+type ResourceSinkServer interface {
+	// The source, acting as gRPC client, establishes a new resource stream
+	// with the sink. The sink sends RequestResources message to and
+	// receives Resources messages from the source.
+	EstablishResourceStream(ResourceSink_EstablishResourceStreamServer) error
+}
+
+func RegisterResourceSinkServer(s *grpc.Server, srv ResourceSinkServer) {
+	s.RegisterService(&_ResourceSink_serviceDesc, srv)
+}
+
+func _ResourceSink_EstablishResourceStream_Handler(srv interface{}, stream grpc.ServerStream) error {
+	return srv.(ResourceSinkServer).EstablishResourceStream(&resourceSinkEstablishResourceStreamServer{stream})
+}
+
+type ResourceSink_EstablishResourceStreamServer interface {
+	Send(*RequestResources) error
+	Recv() (*Resources, error)
+	grpc.ServerStream
+}
+
+type resourceSinkEstablishResourceStreamServer struct {
+	grpc.ServerStream
+}
+
+func (x *resourceSinkEstablishResourceStreamServer) Send(m *RequestResources) error {
+	return x.ServerStream.SendMsg(m)
+}
+
+func (x *resourceSinkEstablishResourceStreamServer) Recv() (*Resources, error) {
+	m := new(Resources)
+	if err := x.ServerStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+var _ResourceSink_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "istio.mcp.v1alpha1.ResourceSink",
+	HandlerType: (*ResourceSinkServer)(nil),
+	Methods:     []grpc.MethodDesc{},
+	Streams: []grpc.StreamDesc{
+		{
+			StreamName:    "EstablishResourceStream",
+			Handler:       _ResourceSink_EstablishResourceStream_Handler,
+			ServerStreams: true,
+			ClientStreams: true,
+		},
+	},
+	Metadata: "mcp/v1alpha1/mcp.proto",
+}
+
+func (m *SinkNode) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SinkNode) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Id) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintMcp(dAtA, i, uint64(len(m.Id)))
+		i += copy(dAtA[i:], m.Id)
+	}
+	if len(m.Annotations) > 0 {
+		for k, _ := range m.Annotations {
+			dAtA[i] = 0x12
+			i++
+			v := m.Annotations[k]
+			mapSize := 1 + len(k) + sovMcp(uint64(len(k))) + 1 + len(v) + sovMcp(uint64(len(v)))
+			i = encodeVarintMcp(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintMcp(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintMcp(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	return i, nil
+}
+
+func (m *MeshConfigRequest) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *MeshConfigRequest) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.VersionInfo) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintMcp(dAtA, i, uint64(len(m.VersionInfo)))
+		i += copy(dAtA[i:], m.VersionInfo)
+	}
+	if m.SinkNode != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintMcp(dAtA, i, uint64(m.SinkNode.Size()))
+		n1, err := m.SinkNode.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n1
+	}
+	if len(m.TypeUrl) > 0 {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintMcp(dAtA, i, uint64(len(m.TypeUrl)))
+		i += copy(dAtA[i:], m.TypeUrl)
+	}
+	if len(m.ResponseNonce) > 0 {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintMcp(dAtA, i, uint64(len(m.ResponseNonce)))
+		i += copy(dAtA[i:], m.ResponseNonce)
+	}
+	if m.ErrorDetail != nil {
+		dAtA[i] = 0x2a
+		i++
+		i = encodeVarintMcp(dAtA, i, uint64(m.ErrorDetail.Size()))
+		n2, err := m.ErrorDetail.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n2
+	}
+	return i, nil
+}
+
+func (m *MeshConfigResponse) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *MeshConfigResponse) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.VersionInfo) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintMcp(dAtA, i, uint64(len(m.VersionInfo)))
+		i += copy(dAtA[i:], m.VersionInfo)
+	}
+	if len(m.Resources) > 0 {
+		for _, msg := range m.Resources {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintMcp(dAtA, i, uint64(msg.Size()))
 			n, err := msg.MarshalTo(dAtA[i:])
 			if err != nil {
 				return 0, err
@@ -839,15 +1314,15 @@ func (m *IncrementalMeshConfigRequest) MarshalTo(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
-	if m.Client != nil {
+	if m.SinkNode != nil {
 		dAtA[i] = 0xa
 		i++
-		i = encodeVarintMcp(dAtA, i, uint64(m.Client.Size()))
-		n4, err := m.Client.MarshalTo(dAtA[i:])
+		i = encodeVarintMcp(dAtA, i, uint64(m.SinkNode.Size()))
+		n3, err := m.SinkNode.MarshalTo(dAtA[i:])
 		if err != nil {
 			return 0, err
 		}
-		i += n4
+		i += n3
 	}
 	if len(m.TypeUrl) > 0 {
 		dAtA[i] = 0x12
@@ -882,11 +1357,11 @@ func (m *IncrementalMeshConfigRequest) MarshalTo(dAtA []byte) (int, error) {
 		dAtA[i] = 0x2a
 		i++
 		i = encodeVarintMcp(dAtA, i, uint64(m.ErrorDetail.Size()))
-		n5, err := m.ErrorDetail.MarshalTo(dAtA[i:])
+		n4, err := m.ErrorDetail.MarshalTo(dAtA[i:])
 		if err != nil {
 			return 0, err
 		}
-		i += n5
+		i += n4
 	}
 	return i, nil
 }
@@ -912,8 +1387,8 @@ func (m *IncrementalMeshConfigResponse) MarshalTo(dAtA []byte) (int, error) {
 		i = encodeVarintMcp(dAtA, i, uint64(len(m.SystemVersionInfo)))
 		i += copy(dAtA[i:], m.SystemVersionInfo)
 	}
-	if len(m.Envelopes) > 0 {
-		for _, msg := range m.Envelopes {
+	if len(m.Resources) > 0 {
+		for _, msg := range m.Resources {
 			dAtA[i] = 0x12
 			i++
 			i = encodeVarintMcp(dAtA, i, uint64(msg.Size()))
@@ -948,49 +1423,183 @@ func (m *IncrementalMeshConfigResponse) MarshalTo(dAtA []byte) (int, error) {
 	return i, nil
 }
 
-func encodeVarintMcp(dAtA []byte, offset int, v uint64) int {
-	for v >= 1<<7 {
-		dAtA[offset] = uint8(v&0x7f | 0x80)
-		v >>= 7
-		offset++
-	}
-	dAtA[offset] = uint8(v)
-	return offset + 1
-}
-func (m *Client) Size() (n int) {
-	var l int
-	_ = l
-	l = len(m.Id)
-	if l > 0 {
-		n += 1 + l + sovMcp(uint64(l))
-	}
-	if m.Metadata != nil {
-		l = m.Metadata.Size()
-		n += 1 + l + sovMcp(uint64(l))
+func (m *RequestResources) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
 	}
-	return n
+	return dAtA[:n], nil
 }
 
-func (m *MeshConfigRequest) Size() (n int) {
+func (m *RequestResources) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
 	var l int
 	_ = l
-	l = len(m.VersionInfo)
-	if l > 0 {
-		n += 1 + l + sovMcp(uint64(l))
-	}
-	if m.Client != nil {
-		l = m.Client.Size()
-		n += 1 + l + sovMcp(uint64(l))
-	}
-	l = len(m.TypeUrl)
-	if l > 0 {
-		n += 1 + l + sovMcp(uint64(l))
+	if m.SinkNode != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintMcp(dAtA, i, uint64(m.SinkNode.Size()))
+		n5, err := m.SinkNode.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n5
 	}
-	l = len(m.ResponseNonce)
-	if l > 0 {
-		n += 1 + l + sovMcp(uint64(l))
+	if len(m.Collection) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintMcp(dAtA, i, uint64(len(m.Collection)))
+		i += copy(dAtA[i:], m.Collection)
 	}
-	if m.ErrorDetail != nil {
+	if len(m.InitialResourceVersions) > 0 {
+		for k, _ := range m.InitialResourceVersions {
+			dAtA[i] = 0x1a
+			i++
+			v := m.InitialResourceVersions[k]
+			mapSize := 1 + len(k) + sovMcp(uint64(len(k))) + 1 + len(v) + sovMcp(uint64(len(v)))
+			i = encodeVarintMcp(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintMcp(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintMcp(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	if len(m.ResponseNonce) > 0 {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintMcp(dAtA, i, uint64(len(m.ResponseNonce)))
+		i += copy(dAtA[i:], m.ResponseNonce)
+	}
+	if m.ErrorDetail != nil {
+		dAtA[i] = 0x2a
+		i++
+		i = encodeVarintMcp(dAtA, i, uint64(m.ErrorDetail.Size()))
+		n6, err := m.ErrorDetail.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n6
+	}
+	return i, nil
+}
+
+func (m *Resources) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Resources) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.SystemVersionInfo) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintMcp(dAtA, i, uint64(len(m.SystemVersionInfo)))
+		i += copy(dAtA[i:], m.SystemVersionInfo)
+	}
+	if len(m.Collection) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintMcp(dAtA, i, uint64(len(m.Collection)))
+		i += copy(dAtA[i:], m.Collection)
+	}
+	if len(m.Resources) > 0 {
+		for _, msg := range m.Resources {
+			dAtA[i] = 0x1a
+			i++
+			i = encodeVarintMcp(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.RemovedResources) > 0 {
+		for _, s := range m.RemovedResources {
+			dAtA[i] = 0x22
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Nonce) > 0 {
+		dAtA[i] = 0x2a
+		i++
+		i = encodeVarintMcp(dAtA, i, uint64(len(m.Nonce)))
+		i += copy(dAtA[i:], m.Nonce)
+	}
+	return i, nil
+}
+
+func encodeVarintMcp(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *SinkNode) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Id)
+	if l > 0 {
+		n += 1 + l + sovMcp(uint64(l))
+	}
+	if len(m.Annotations) > 0 {
+		for k, v := range m.Annotations {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovMcp(uint64(len(k))) + 1 + len(v) + sovMcp(uint64(len(v)))
+			n += mapEntrySize + 1 + sovMcp(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func (m *MeshConfigRequest) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.VersionInfo)
+	if l > 0 {
+		n += 1 + l + sovMcp(uint64(l))
+	}
+	if m.SinkNode != nil {
+		l = m.SinkNode.Size()
+		n += 1 + l + sovMcp(uint64(l))
+	}
+	l = len(m.TypeUrl)
+	if l > 0 {
+		n += 1 + l + sovMcp(uint64(l))
+	}
+	l = len(m.ResponseNonce)
+	if l > 0 {
+		n += 1 + l + sovMcp(uint64(l))
+	}
+	if m.ErrorDetail != nil {
 		l = m.ErrorDetail.Size()
 		n += 1 + l + sovMcp(uint64(l))
 	}
@@ -1004,8 +1613,8 @@ func (m *MeshConfigResponse) Size() (n int) {
 	if l > 0 {
 		n += 1 + l + sovMcp(uint64(l))
 	}
-	if len(m.Envelopes) > 0 {
-		for _, e := range m.Envelopes {
+	if len(m.Resources) > 0 {
+		for _, e := range m.Resources {
 			l = e.Size()
 			n += 1 + l + sovMcp(uint64(l))
 		}
@@ -1024,8 +1633,8 @@ func (m *MeshConfigResponse) Size() (n int) {
 func (m *IncrementalMeshConfigRequest) Size() (n int) {
 	var l int
 	_ = l
-	if m.Client != nil {
-		l = m.Client.Size()
+	if m.SinkNode != nil {
+		l = m.SinkNode.Size()
 		n += 1 + l + sovMcp(uint64(l))
 	}
 	l = len(m.TypeUrl)
@@ -1058,8 +1667,68 @@ func (m *IncrementalMeshConfigResponse) Size() (n int) {
 	if l > 0 {
 		n += 1 + l + sovMcp(uint64(l))
 	}
-	if len(m.Envelopes) > 0 {
-		for _, e := range m.Envelopes {
+	if len(m.Resources) > 0 {
+		for _, e := range m.Resources {
+			l = e.Size()
+			n += 1 + l + sovMcp(uint64(l))
+		}
+	}
+	if len(m.RemovedResources) > 0 {
+		for _, s := range m.RemovedResources {
+			l = len(s)
+			n += 1 + l + sovMcp(uint64(l))
+		}
+	}
+	l = len(m.Nonce)
+	if l > 0 {
+		n += 1 + l + sovMcp(uint64(l))
+	}
+	return n
+}
+
+func (m *RequestResources) Size() (n int) {
+	var l int
+	_ = l
+	if m.SinkNode != nil {
+		l = m.SinkNode.Size()
+		n += 1 + l + sovMcp(uint64(l))
+	}
+	l = len(m.Collection)
+	if l > 0 {
+		n += 1 + l + sovMcp(uint64(l))
+	}
+	if len(m.InitialResourceVersions) > 0 {
+		for k, v := range m.InitialResourceVersions {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovMcp(uint64(len(k))) + 1 + len(v) + sovMcp(uint64(len(v)))
+			n += mapEntrySize + 1 + sovMcp(uint64(mapEntrySize))
+		}
+	}
+	l = len(m.ResponseNonce)
+	if l > 0 {
+		n += 1 + l + sovMcp(uint64(l))
+	}
+	if m.ErrorDetail != nil {
+		l = m.ErrorDetail.Size()
+		n += 1 + l + sovMcp(uint64(l))
+	}
+	return n
+}
+
+func (m *Resources) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.SystemVersionInfo)
+	if l > 0 {
+		n += 1 + l + sovMcp(uint64(l))
+	}
+	l = len(m.Collection)
+	if l > 0 {
+		n += 1 + l + sovMcp(uint64(l))
+	}
+	if len(m.Resources) > 0 {
+		for _, e := range m.Resources {
 			l = e.Size()
 			n += 1 + l + sovMcp(uint64(l))
 		}
@@ -1090,7 +1759,407 @@ func sovMcp(x uint64) (n int) {
 func sozMcp(x uint64) (n int) {
 	return sovMcp(uint64((x << 1) ^ uint64((int64(x) >> 63))))
 }
-func (m *Client) Unmarshal(dAtA []byte) error {
+func (m *SinkNode) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowMcp
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SinkNode: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SinkNode: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Id", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowMcp
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthMcp
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Id = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Annotations", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowMcp
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthMcp
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Annotations == nil {
+				m.Annotations = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowMcp
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowMcp
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthMcp
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowMcp
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthMcp
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipMcp(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthMcp
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.Annotations[mapkey] = mapvalue
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipMcp(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthMcp
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *MeshConfigRequest) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowMcp
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: MeshConfigRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: MeshConfigRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field VersionInfo", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowMcp
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthMcp
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.VersionInfo = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SinkNode", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowMcp
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthMcp
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.SinkNode == nil {
+				m.SinkNode = &SinkNode{}
+			}
+			if err := m.SinkNode.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TypeUrl", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowMcp
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthMcp
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.TypeUrl = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ResponseNonce", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowMcp
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthMcp
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ResponseNonce = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ErrorDetail", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowMcp
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthMcp
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ErrorDetail == nil {
+				m.ErrorDetail = &google_rpc.Status{}
+			}
+			if err := m.ErrorDetail.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipMcp(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthMcp
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *MeshConfigResponse) Unmarshal(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
 	for iNdEx < l {
@@ -1113,15 +2182,15 @@ func (m *Client) Unmarshal(dAtA []byte) error {
 		fieldNum := int32(wire >> 3)
 		wireType := int(wire & 0x7)
 		if wireType == 4 {
-			return fmt.Errorf("proto: Client: wiretype end group for non-group")
+			return fmt.Errorf("proto: MeshConfigResponse: wiretype end group for non-group")
 		}
 		if fieldNum <= 0 {
-			return fmt.Errorf("proto: Client: illegal tag %d (wire type %d)", fieldNum, wire)
+			return fmt.Errorf("proto: MeshConfigResponse: illegal tag %d (wire type %d)", fieldNum, wire)
 		}
 		switch fieldNum {
 		case 1:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Id", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field VersionInfo", wireType)
 			}
 			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
@@ -1146,11 +2215,11 @@ func (m *Client) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Id = string(dAtA[iNdEx:postIndex])
+			m.VersionInfo = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
 		case 2:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Metadata", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Resources", wireType)
 			}
 			var msglen int
 			for shift := uint(0); ; shift += 7 {
@@ -1174,13 +2243,69 @@ func (m *Client) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			if m.Metadata == nil {
-				m.Metadata = &google_protobuf3.Struct{}
-			}
-			if err := m.Metadata.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+			m.Resources = append(m.Resources, Resource{})
+			if err := m.Resources[len(m.Resources)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
 				return err
 			}
 			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TypeUrl", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowMcp
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthMcp
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.TypeUrl = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Nonce", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowMcp
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthMcp
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Nonce = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipMcp(dAtA[iNdEx:])
@@ -1202,7 +2327,7 @@ func (m *Client) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
-func (m *MeshConfigRequest) Unmarshal(dAtA []byte) error {
+func (m *IncrementalMeshConfigRequest) Unmarshal(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
 	for iNdEx < l {
@@ -1225,17 +2350,17 @@ func (m *MeshConfigRequest) Unmarshal(dAtA []byte) error {
 		fieldNum := int32(wire >> 3)
 		wireType := int(wire & 0x7)
 		if wireType == 4 {
-			return fmt.Errorf("proto: MeshConfigRequest: wiretype end group for non-group")
+			return fmt.Errorf("proto: IncrementalMeshConfigRequest: wiretype end group for non-group")
 		}
 		if fieldNum <= 0 {
-			return fmt.Errorf("proto: MeshConfigRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+			return fmt.Errorf("proto: IncrementalMeshConfigRequest: illegal tag %d (wire type %d)", fieldNum, wire)
 		}
 		switch fieldNum {
 		case 1:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field VersionInfo", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field SinkNode", wireType)
 			}
-			var stringLen uint64
+			var msglen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowMcp
@@ -1245,26 +2370,30 @@ func (m *MeshConfigRequest) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= (uint64(b) & 0x7F) << shift
+				msglen |= (int(b) & 0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
+			if msglen < 0 {
 				return ErrInvalidLengthMcp
 			}
-			postIndex := iNdEx + intStringLen
+			postIndex := iNdEx + msglen
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.VersionInfo = string(dAtA[iNdEx:postIndex])
+			if m.SinkNode == nil {
+				m.SinkNode = &SinkNode{}
+			}
+			if err := m.SinkNode.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
 			iNdEx = postIndex
 		case 2:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Client", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field TypeUrl", wireType)
 			}
-			var msglen int
+			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowMcp
@@ -1274,30 +2403,26 @@ func (m *MeshConfigRequest) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				msglen |= (int(b) & 0x7F) << shift
+				stringLen |= (uint64(b) & 0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			if msglen < 0 {
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
 				return ErrInvalidLengthMcp
 			}
-			postIndex := iNdEx + msglen
+			postIndex := iNdEx + intStringLen
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			if m.Client == nil {
-				m.Client = &Client{}
-			}
-			if err := m.Client.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
+			m.TypeUrl = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
 		case 3:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field TypeUrl", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field InitialResourceVersions", wireType)
 			}
-			var stringLen uint64
+			var msglen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowMcp
@@ -1307,20 +2432,109 @@ func (m *MeshConfigRequest) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= (uint64(b) & 0x7F) << shift
+				msglen |= (int(b) & 0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
+			if msglen < 0 {
 				return ErrInvalidLengthMcp
 			}
-			postIndex := iNdEx + intStringLen
+			postIndex := iNdEx + msglen
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.TypeUrl = string(dAtA[iNdEx:postIndex])
+			if m.InitialResourceVersions == nil {
+				m.InitialResourceVersions = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowMcp
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowMcp
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthMcp
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowMcp
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthMcp
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipMcp(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthMcp
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.InitialResourceVersions[mapkey] = mapvalue
 			iNdEx = postIndex
 		case 4:
 			if wireType != 2 {
@@ -1405,7 +2619,7 @@ func (m *MeshConfigRequest) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
-func (m *MeshConfigResponse) Unmarshal(dAtA []byte) error {
+func (m *IncrementalMeshConfigResponse) Unmarshal(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
 	for iNdEx < l {
@@ -1428,15 +2642,15 @@ func (m *MeshConfigResponse) Unmarshal(dAtA []byte) error {
 		fieldNum := int32(wire >> 3)
 		wireType := int(wire & 0x7)
 		if wireType == 4 {
-			return fmt.Errorf("proto: MeshConfigResponse: wiretype end group for non-group")
+			return fmt.Errorf("proto: IncrementalMeshConfigResponse: wiretype end group for non-group")
 		}
 		if fieldNum <= 0 {
-			return fmt.Errorf("proto: MeshConfigResponse: illegal tag %d (wire type %d)", fieldNum, wire)
+			return fmt.Errorf("proto: IncrementalMeshConfigResponse: illegal tag %d (wire type %d)", fieldNum, wire)
 		}
 		switch fieldNum {
 		case 1:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field VersionInfo", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field SystemVersionInfo", wireType)
 			}
 			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
@@ -1461,11 +2675,11 @@ func (m *MeshConfigResponse) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.VersionInfo = string(dAtA[iNdEx:postIndex])
+			m.SystemVersionInfo = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
 		case 2:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Envelopes", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Resources", wireType)
 			}
 			var msglen int
 			for shift := uint(0); ; shift += 7 {
@@ -1489,14 +2703,14 @@ func (m *MeshConfigResponse) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Envelopes = append(m.Envelopes, Envelope{})
-			if err := m.Envelopes[len(m.Envelopes)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+			m.Resources = append(m.Resources, Resource{})
+			if err := m.Resources[len(m.Resources)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
 				return err
 			}
 			iNdEx = postIndex
 		case 3:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field TypeUrl", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field RemovedResources", wireType)
 			}
 			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
@@ -1521,7 +2735,7 @@ func (m *MeshConfigResponse) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.TypeUrl = string(dAtA[iNdEx:postIndex])
+			m.RemovedResources = append(m.RemovedResources, string(dAtA[iNdEx:postIndex]))
 			iNdEx = postIndex
 		case 4:
 			if wireType != 2 {
@@ -1573,7 +2787,7 @@ func (m *MeshConfigResponse) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
-func (m *IncrementalMeshConfigRequest) Unmarshal(dAtA []byte) error {
+func (m *RequestResources) Unmarshal(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
 	for iNdEx < l {
@@ -1596,15 +2810,15 @@ func (m *IncrementalMeshConfigRequest) Unmarshal(dAtA []byte) error {
 		fieldNum := int32(wire >> 3)
 		wireType := int(wire & 0x7)
 		if wireType == 4 {
-			return fmt.Errorf("proto: IncrementalMeshConfigRequest: wiretype end group for non-group")
+			return fmt.Errorf("proto: RequestResources: wiretype end group for non-group")
 		}
 		if fieldNum <= 0 {
-			return fmt.Errorf("proto: IncrementalMeshConfigRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+			return fmt.Errorf("proto: RequestResources: illegal tag %d (wire type %d)", fieldNum, wire)
 		}
 		switch fieldNum {
 		case 1:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Client", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field SinkNode", wireType)
 			}
 			var msglen int
 			for shift := uint(0); ; shift += 7 {
@@ -1628,16 +2842,16 @@ func (m *IncrementalMeshConfigRequest) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			if m.Client == nil {
-				m.Client = &Client{}
+			if m.SinkNode == nil {
+				m.SinkNode = &SinkNode{}
 			}
-			if err := m.Client.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+			if err := m.SinkNode.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
 				return err
 			}
 			iNdEx = postIndex
 		case 2:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field TypeUrl", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Collection", wireType)
 			}
 			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
@@ -1662,7 +2876,7 @@ func (m *IncrementalMeshConfigRequest) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.TypeUrl = string(dAtA[iNdEx:postIndex])
+			m.Collection = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
 		case 3:
 			if wireType != 2 {
@@ -1865,7 +3079,7 @@ func (m *IncrementalMeshConfigRequest) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
-func (m *IncrementalMeshConfigResponse) Unmarshal(dAtA []byte) error {
+func (m *Resources) Unmarshal(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
 	for iNdEx < l {
@@ -1888,10 +3102,10 @@ func (m *IncrementalMeshConfigResponse) Unmarshal(dAtA []byte) error {
 		fieldNum := int32(wire >> 3)
 		wireType := int(wire & 0x7)
 		if wireType == 4 {
-			return fmt.Errorf("proto: IncrementalMeshConfigResponse: wiretype end group for non-group")
+			return fmt.Errorf("proto: Resources: wiretype end group for non-group")
 		}
 		if fieldNum <= 0 {
-			return fmt.Errorf("proto: IncrementalMeshConfigResponse: illegal tag %d (wire type %d)", fieldNum, wire)
+			return fmt.Errorf("proto: Resources: illegal tag %d (wire type %d)", fieldNum, wire)
 		}
 		switch fieldNum {
 		case 1:
@@ -1925,7 +3139,36 @@ func (m *IncrementalMeshConfigResponse) Unmarshal(dAtA []byte) error {
 			iNdEx = postIndex
 		case 2:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Envelopes", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Collection", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowMcp
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthMcp
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Collection = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Resources", wireType)
 			}
 			var msglen int
 			for shift := uint(0); ; shift += 7 {
@@ -1949,12 +3192,12 @@ func (m *IncrementalMeshConfigResponse) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Envelopes = append(m.Envelopes, Envelope{})
-			if err := m.Envelopes[len(m.Envelopes)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+			m.Resources = append(m.Resources, Resource{})
+			if err := m.Resources[len(m.Resources)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
 				return err
 			}
 			iNdEx = postIndex
-		case 3:
+		case 4:
 			if wireType != 2 {
 				return fmt.Errorf("proto: wrong wireType = %d for field RemovedResources", wireType)
 			}
@@ -1983,7 +3226,7 @@ func (m *IncrementalMeshConfigResponse) Unmarshal(dAtA []byte) error {
 			}
 			m.RemovedResources = append(m.RemovedResources, string(dAtA[iNdEx:postIndex]))
 			iNdEx = postIndex
-		case 4:
+		case 5:
 			if wireType != 2 {
 				return fmt.Errorf("proto: wrong wireType = %d for field Nonce", wireType)
 			}
@@ -2141,45 +3384,53 @@ var (
 func init() { proto.RegisterFile("mcp/v1alpha1/mcp.proto", fileDescriptorMcp) }
 
 var fileDescriptorMcp = []byte{
-	// 635 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x54, 0x41, 0x4f, 0x13, 0x4f,
-	0x14, 0x67, 0xb6, 0xc0, 0x1f, 0xa6, 0xfc, 0x09, 0x8c, 0x44, 0xb6, 0x05, 0x2b, 0x36, 0xc1, 0x34,
-	0x21, 0xd9, 0x85, 0x12, 0x13, 0xe3, 0x49, 0x41, 0x0e, 0x98, 0xe0, 0x61, 0x1b, 0x39, 0x78, 0xd9,
-	0x0c, 0xdb, 0xd7, 0x65, 0xe2, 0xee, 0xcc, 0x3a, 0x33, 0xdb, 0xa4, 0x1f, 0xc1, 0xf8, 0x19, 0x3c,
-	0x79, 0x31, 0x7e, 0x12, 0x8e, 0x1e, 0x3c, 0x1b, 0x53, 0xbf, 0x88, 0xd9, 0xdd, 0x29, 0x2d, 0xe9,
-	0x82, 0x62, 0xf4, 0x36, 0xf3, 0xde, 0x6f, 0xde, 0xfb, 0xfd, 0x7e, 0xef, 0x65, 0xf0, 0xdd, 0x38,
-	0x48, 0xdc, 0xfe, 0x1e, 0x8d, 0x92, 0x73, 0xba, 0xe7, 0xc6, 0x41, 0xe2, 0x24, 0x52, 0x68, 0x41,
-	0x08, 0x53, 0x9a, 0x09, 0x27, 0x0b, 0x8c, 0xb2, 0xf5, 0xcd, 0x50, 0x88, 0x30, 0x02, 0x37, 0x47,
-	0x9c, 0xa5, 0x3d, 0x57, 0x69, 0x99, 0x06, 0xba, 0x78, 0x51, 0x5f, 0x37, 0x59, 0x99, 0x04, 0xae,
-	0xd2, 0x54, 0xa7, 0xca, 0x24, 0xd6, 0x42, 0x11, 0x8a, 0xfc, 0xe8, 0x66, 0x27, 0x13, 0xdd, 0xb8,
-	0xd2, 0x18, 0x78, 0x1f, 0x22, 0x91, 0x40, 0x91, 0x6c, 0x9e, 0xe0, 0xf9, 0xc3, 0x88, 0x01, 0xd7,
-	0x64, 0x19, 0x5b, 0xac, 0x6b, 0xa3, 0x2d, 0xd4, 0x5a, 0xf4, 0x2c, 0xd6, 0x25, 0xfb, 0x78, 0x21,
-	0x06, 0x4d, 0xbb, 0x54, 0x53, 0xdb, 0xda, 0x42, 0xad, 0x6a, 0x7b, 0xdd, 0x29, 0x1a, 0x3b, 0x23,
-	0x5a, 0x4e, 0x27, 0xa7, 0xe5, 0x5d, 0x02, 0x9b, 0x3f, 0x10, 0x5e, 0x3d, 0x01, 0x75, 0x7e, 0x28,
-	0x78, 0x8f, 0x85, 0x1e, 0xbc, 0x4d, 0x41, 0x69, 0xf2, 0x00, 0x2f, 0xf5, 0x41, 0x2a, 0x26, 0xb8,
-	0xcf, 0x78, 0x4f, 0x98, 0x26, 0x55, 0x13, 0x3b, 0xe6, 0x3d, 0x41, 0xda, 0x78, 0x3e, 0xc8, 0x79,
-	0x98, 0x5e, 0x75, 0x67, 0xda, 0x16, 0xa7, 0x60, 0xea, 0x19, 0x24, 0xa9, 0xe1, 0x05, 0x3d, 0x48,
-	0xc0, 0x4f, 0x65, 0x64, 0x57, 0xf2, 0x92, 0xff, 0x65, 0xf7, 0x57, 0x32, 0x22, 0xdb, 0x78, 0x59,
-	0x82, 0x4a, 0x04, 0x57, 0xe0, 0x73, 0xc1, 0x03, 0xb0, 0x67, 0x73, 0xc0, 0xff, 0xa3, 0xe8, 0xcb,
-	0x2c, 0x48, 0x1e, 0xe1, 0x25, 0x90, 0x52, 0x48, 0xbf, 0x0b, 0x9a, 0xb2, 0xc8, 0x9e, 0xcb, 0x7b,
-	0x93, 0x91, 0x4e, 0x99, 0x04, 0x4e, 0x27, 0x37, 0xd8, 0xab, 0xe6, 0xb8, 0xe7, 0x39, 0xac, 0xf9,
-	0x19, 0x61, 0x32, 0xa9, 0xb2, 0x28, 0xf9, 0x3b, 0x32, 0x9f, 0xe2, 0xc5, 0xd1, 0x00, 0x94, 0x6d,
-	0x6d, 0x55, 0x5a, 0xd5, 0xf6, 0x66, 0x99, 0xd2, 0x23, 0x03, 0x3a, 0x98, 0xbd, 0xf8, 0x76, 0x7f,
-	0xc6, 0x1b, 0x3f, 0xba, 0x49, 0xf4, 0x1a, 0x9e, 0x9b, 0xd4, 0x5a, 0x5c, 0x9a, 0x1f, 0x2b, 0x78,
-	0xf3, 0x98, 0x07, 0x12, 0x62, 0xe0, 0x9a, 0x46, 0xd3, 0xd3, 0x19, 0x5b, 0x8f, 0xfe, 0xc8, 0x7a,
-	0xeb, 0x2a, 0x8b, 0x77, 0x08, 0xd7, 0x18, 0x67, 0x9a, 0xd1, 0xc8, 0x97, 0xa0, 0x44, 0x2a, 0x03,
-	0xf0, 0x8d, 0x07, 0xca, 0xae, 0xe4, 0x9a, 0x4f, 0xca, 0x5a, 0xdc, 0x44, 0xd2, 0x39, 0x2e, 0x2a,
-	0x7a, 0xa6, 0xe0, 0xa9, 0xa9, 0x77, 0xc4, 0xb5, 0x1c, 0x78, 0xeb, 0xac, 0x3c, 0xfb, 0x6f, 0xd7,
-	0xa0, 0xfe, 0x22, 0x33, 0xf6, 0x7a, 0x5a, 0x64, 0x05, 0x57, 0xde, 0xc0, 0xc0, 0xac, 0x41, 0x76,
-	0xcc, 0x26, 0xd4, 0xa7, 0x51, 0x0a, 0xc6, 0xb3, 0xe2, 0xf2, 0xc4, 0x7a, 0x8c, 0x9a, 0x5f, 0x11,
-	0xbe, 0x77, 0x8d, 0x01, 0x66, 0xbb, 0x1c, 0x7c, 0x47, 0x0d, 0x94, 0x86, 0xd8, 0x2f, 0x59, 0xb2,
-	0xd5, 0x22, 0x75, 0xfa, 0x57, 0x57, 0x6d, 0x07, 0xaf, 0x4a, 0x88, 0x45, 0x1f, 0xba, 0x97, 0x83,
-	0x2c, 0x06, 0xb8, 0xe8, 0xad, 0x98, 0xc4, 0x48, 0xb8, 0x2a, 0x5f, 0xbe, 0xf6, 0x07, 0x0b, 0x6f,
-	0x3c, 0x0b, 0x43, 0x09, 0x21, 0xd5, 0xd0, 0x1d, 0xab, 0xea, 0x80, 0xec, 0xb3, 0x00, 0x48, 0x82,
-	0x6b, 0x1d, 0x2d, 0x81, 0xc6, 0x63, 0xd0, 0xb8, 0xe4, 0x76, 0x19, 0xdd, 0xa9, 0xd5, 0xa8, 0x3f,
-	0xfc, 0x15, 0xac, 0x30, 0xb0, 0x39, 0xd3, 0x42, 0xbb, 0x88, 0xbc, 0x47, 0xb8, 0x31, 0x61, 0x74,
-	0x59, 0xdf, 0xdd, 0xdb, 0x6e, 0x67, 0x7d, 0xef, 0x16, 0x2f, 0x26, 0xd9, 0x1c, 0xec, 0x7c, 0x1a,
-	0x36, 0xd0, 0xc5, 0xb0, 0x81, 0xbe, 0x0c, 0x1b, 0xe8, 0xfb, 0xb0, 0x81, 0x5e, 0xd7, 0x8a, 0x4a,
-	0x4c, 0xb8, 0x34, 0x61, 0xee, 0xe4, 0xd7, 0x7d, 0x36, 0x9f, 0xff, 0xbb, 0xfb, 0x3f, 0x03, 0x00,
-	0x00, 0xff, 0xff, 0x7b, 0x9d, 0xce, 0x14, 0x4a, 0x06, 0x00, 0x00,
+	// 755 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x56, 0x4f, 0x4f, 0x1b, 0x47,
+	0x14, 0x67, 0x6c, 0xdc, 0xe2, 0x67, 0x8a, 0xcc, 0x14, 0x15, 0x7b, 0x01, 0x97, 0x5a, 0xa5, 0x42,
+	0x42, 0x5d, 0x83, 0xab, 0x4a, 0x6d, 0x0f, 0x55, 0xa1, 0xe5, 0x40, 0x25, 0xa8, 0xb4, 0x56, 0x39,
+	0xe4, 0xb2, 0x5a, 0x76, 0x87, 0x65, 0xe4, 0xf5, 0xcc, 0x66, 0x66, 0x6c, 0xc9, 0x87, 0x7c, 0x80,
+	0x28, 0xf7, 0xdc, 0x72, 0x8f, 0xc8, 0x17, 0xe1, 0x98, 0x43, 0xce, 0x11, 0xf2, 0x31, 0x9f, 0x22,
+	0xda, 0x7f, 0xec, 0x3a, 0x2c, 0x36, 0x4e, 0xc8, 0x25, 0x97, 0xd5, 0xcc, 0x7b, 0x6f, 0x7e, 0xef,
+	0xcf, 0xef, 0x37, 0xa3, 0x85, 0xef, 0x7a, 0xb6, 0xdf, 0x1a, 0xec, 0x59, 0x9e, 0x7f, 0x61, 0xed,
+	0xb5, 0x7a, 0xb6, 0xaf, 0xfb, 0x82, 0x2b, 0x8e, 0x31, 0x95, 0x8a, 0x72, 0x3d, 0x30, 0x24, 0x5e,
+	0x6d, 0xd5, 0xe5, 0xdc, 0xf5, 0x48, 0x4b, 0xf8, 0x76, 0x4b, 0x2a, 0x4b, 0xf5, 0x65, 0x14, 0xac,
+	0xad, 0xb8, 0xdc, 0xe5, 0xe1, 0xb2, 0x15, 0xac, 0x62, 0xeb, 0xda, 0x18, 0xb4, 0x20, 0x92, 0xf7,
+	0x85, 0x4d, 0x22, 0x67, 0xf3, 0x15, 0x82, 0x85, 0x0e, 0x65, 0xdd, 0x13, 0xee, 0x10, 0xbc, 0x04,
+	0x05, 0xea, 0xd4, 0xd0, 0x26, 0xda, 0x2e, 0x1b, 0x05, 0xea, 0xe0, 0xff, 0xa0, 0x62, 0x31, 0xc6,
+	0x95, 0xa5, 0x28, 0x67, 0xb2, 0x56, 0xd8, 0x2c, 0x6e, 0x57, 0xda, 0x3f, 0xeb, 0xb7, 0x4b, 0xd2,
+	0x13, 0x08, 0x7d, 0x3f, 0x8d, 0x3f, 0x64, 0x4a, 0x0c, 0x8d, 0x2c, 0x82, 0xf6, 0x27, 0x54, 0x3f,
+	0x0c, 0xc0, 0x55, 0x28, 0x76, 0xc9, 0x30, 0xce, 0x1a, 0x2c, 0xf1, 0x0a, 0x94, 0x06, 0x96, 0xd7,
+	0x27, 0xb5, 0x42, 0x68, 0x8b, 0x36, 0x7f, 0x14, 0x7e, 0x43, 0xcd, 0x77, 0x08, 0x96, 0x8f, 0x89,
+	0xbc, 0xf8, 0x9b, 0xb3, 0x73, 0xea, 0x1a, 0xe4, 0x71, 0x9f, 0x48, 0x85, 0x7f, 0x80, 0xc5, 0x01,
+	0x11, 0x92, 0x72, 0x66, 0x52, 0x76, 0xce, 0x63, 0xa8, 0x4a, 0x6c, 0x3b, 0x62, 0xe7, 0x1c, 0xff,
+	0x0e, 0x65, 0x49, 0x59, 0xd7, 0x64, 0xdc, 0x89, 0x60, 0x2b, 0xed, 0xf5, 0x49, 0x7d, 0x18, 0x0b,
+	0x32, 0x19, 0x4a, 0x1d, 0x16, 0xd4, 0xd0, 0x27, 0x66, 0x5f, 0x78, 0xb5, 0x62, 0x88, 0xfc, 0x75,
+	0xb0, 0xff, 0x5f, 0x78, 0x78, 0x0b, 0x96, 0x04, 0x91, 0x3e, 0x67, 0x92, 0x98, 0x8c, 0x33, 0x9b,
+	0xd4, 0xe6, 0xc3, 0x80, 0x6f, 0x12, 0xeb, 0x49, 0x60, 0xc4, 0xbf, 0xc2, 0x22, 0x11, 0x82, 0x0b,
+	0xd3, 0x21, 0xca, 0xa2, 0x5e, 0xad, 0x14, 0xe6, 0xc7, 0x7a, 0x44, 0xa3, 0x2e, 0x7c, 0x5b, 0xef,
+	0x84, 0x34, 0x1a, 0x95, 0x30, 0xee, 0x9f, 0x30, 0xac, 0x79, 0x89, 0x00, 0x67, 0x9b, 0x8d, 0x20,
+	0xef, 0xd3, 0xed, 0x5f, 0x50, 0x4e, 0x68, 0x4e, 0x58, 0xcb, 0xed, 0xd6, 0x88, 0x83, 0x0e, 0xe6,
+	0xaf, 0xde, 0x7e, 0x3f, 0x67, 0xa4, 0x87, 0x26, 0x35, 0xbd, 0x02, 0xa5, 0x6c, 0xaf, 0xd1, 0xa6,
+	0x79, 0x59, 0x84, 0xf5, 0x23, 0x66, 0x0b, 0xd2, 0x23, 0x4c, 0x59, 0xde, 0x6d, 0x92, 0xc6, 0x18,
+	0x40, 0x1f, 0xcd, 0x40, 0x61, 0xbc, 0x98, 0xa7, 0x08, 0xea, 0x94, 0x51, 0x45, 0x2d, 0xcf, 0x4c,
+	0xaa, 0x37, 0xe3, 0x51, 0xc8, 0x5a, 0x31, 0x6c, 0xfd, 0x38, 0x2f, 0xcd, 0xa4, 0x5a, 0xf5, 0xa3,
+	0x08, 0x31, 0x19, 0xcf, 0x69, 0x8c, 0x17, 0x09, 0x7a, 0x95, 0xe6, 0x7b, 0x3f, 0xaf, 0x1a, 0xb4,
+	0x7f, 0x83, 0xf9, 0xde, 0x5d, 0xd6, 0x4c, 0xd7, 0xe8, 0x0d, 0x82, 0x8d, 0x3b, 0x06, 0x10, 0x8b,
+	0x4c, 0x87, 0x6f, 0xe5, 0x50, 0x2a, 0xd2, 0x33, 0x73, 0xb4, 0xb6, 0x1c, 0xb9, 0x4e, 0x1f, 0x54,
+	0x71, 0x3b, 0xb0, 0x2c, 0x48, 0x8f, 0x0f, 0x88, 0x63, 0xa6, 0x48, 0x01, 0x81, 0x65, 0xa3, 0x1a,
+	0x3b, 0x8c, 0x9b, 0xe0, 0x7c, 0x0d, 0x3e, 0x2f, 0x42, 0x35, 0xa6, 0x30, 0x0d, 0xfd, 0x04, 0xdd,
+	0x35, 0x00, 0x6c, 0xee, 0x79, 0xc4, 0x0e, 0x5e, 0xab, 0x78, 0x8a, 0x19, 0x0b, 0x7e, 0x32, 0x5d,
+	0x7b, 0xfb, 0xf9, 0x43, 0x18, 0xaf, 0xf1, 0x8b, 0xd7, 0xdb, 0x35, 0x82, 0x72, 0xca, 0xc8, 0xac,
+	0xda, 0x9a, 0x46, 0xc3, 0x98, 0xf6, 0x8a, 0x0f, 0xa6, 0xbd, 0xf9, 0x69, 0xda, 0x2b, 0x65, 0xb4,
+	0xd7, 0x7e, 0x51, 0x80, 0xb5, 0x7d, 0xd7, 0x15, 0xc4, 0xb5, 0x14, 0x71, 0xd2, 0x1b, 0xd5, 0x21,
+	0x62, 0x40, 0x6d, 0x82, 0x7d, 0xa8, 0x77, 0x94, 0x20, 0x56, 0x2f, 0x0d, 0x4a, 0x21, 0xb7, 0xf2,
+	0xca, 0xbd, 0xf5, 0x2c, 0x69, 0x3f, 0x4d, 0x0b, 0x8b, 0x68, 0x6f, 0xce, 0x6d, 0xa3, 0x5d, 0x84,
+	0x9f, 0x21, 0x68, 0x64, 0x2e, 0x79, 0x5e, 0xde, 0xdd, 0x59, 0x5f, 0x46, 0x6d, 0x6f, 0x86, 0x13,
+	0xd9, 0x6a, 0xda, 0x03, 0x58, 0x4a, 0xf2, 0x76, 0xc2, 0x2f, 0x76, 0x60, 0xf5, 0x50, 0x2a, 0xeb,
+	0xcc, 0xa3, 0xf2, 0xe2, 0xc6, 0x15, 0x8e, 0x08, 0xff, 0x78, 0x9f, 0x5b, 0xa3, 0x6d, 0x4c, 0x22,
+	0x59, 0xc6, 0x79, 0x15, 0x2c, 0xde, 0x80, 0x53, 0xd6, 0x9d, 0x94, 0x75, 0x32, 0x9e, 0x76, 0xaf,
+	0xa2, 0xa2, 0xac, 0x07, 0x3b, 0x2f, 0x47, 0x0d, 0x74, 0x35, 0x6a, 0xa0, 0xd7, 0xa3, 0x06, 0xba,
+	0x1e, 0x35, 0xd0, 0xa3, 0x7a, 0x74, 0x98, 0xf2, 0x96, 0xe5, 0xd3, 0x56, 0xf6, 0x8f, 0xec, 0xec,
+	0xab, 0xf0, 0x4f, 0xec, 0x97, 0xf7, 0x01, 0x00, 0x00, 0xff, 0xff, 0xa7, 0xf2, 0x04, 0xf7, 0x03,
+	0x0a, 0x00, 0x00,
 }
diff --git a/mcp/v1alpha1/mcp.proto b/mcp/v1alpha1/mcp.proto
index 9730430c9c..777f6ae0c6 100644
--- a/mcp/v1alpha1/mcp.proto
+++ b/mcp/v1alpha1/mcp.proto
@@ -16,25 +16,24 @@ syntax = "proto3";
 
 package istio.mcp.v1alpha1;
 
-import "google/protobuf/struct.proto";
 import "google/rpc/status.proto";
 import "gogoproto/gogo.proto";
-import "mcp/v1alpha1/envelope.proto";
+import "mcp/v1alpha1/resource.proto";
 
 option go_package="istio.io/api/mcp/v1alpha1";
 option (gogoproto.equal_all) = true;
 
-// Identifies a specific MCP client instance. The client identifier is
-// presented to the management server, which may use this identifier
-// to distinguish per client configuration for serving. This
-// information is not authoriative. Authoritative identity should come
+// Identifies a specific MCP sink node instance. The node identifier is
+// presented to the resource source, which may use this identifier
+// to distinguish per sink configuration for serving. This
+// information is not authoritative. Authoritative identity should come
 // from the underlying transport layer (e.g. rpc credentials).
-message Client {
-  // An opaque identifier for the MCP client.
+message SinkNode {
+  // An opaque identifier for the MCP node.
   string id = 1;
 
-  // Opaque metadata extending the client identifier.
-  google.protobuf.Struct metadata = 2;
+  // Opaque annotations extending the node identifier.
+  map<string,string> annotations = 2;
 }
 
 // A MeshConfigRequest requests a set of versioned resources of the
@@ -50,8 +49,8 @@ message MeshConfigRequest {
   // below) has an independent version associated with it.
   string version_info = 1;
 
-  // The client making the request.
-  Client client = 2;
+  // The sink node making the request.
+  SinkNode sink_node = 2;
 
   // Type of the resource that is being requested, e.g.
   // "type.googleapis.com/istio.io.networking.v1alpha3.VirtualService".
@@ -78,13 +77,13 @@ message MeshConfigResponse {
   // The version of the response data.
   string version_info = 1;
 
-  // The response resources wrapped in the common MCP *Envelope*
+  // The response resources wrapped in the common MCP *Resource*
   // message.
-  repeated Envelope envelopes = 2 [(gogoproto.nullable) = false];
+  repeated Resource resources = 2 [(gogoproto.nullable) = false];
 
-  // Type URL for resources wrapped in the provided envelope(s). This
+  // Type URL for resources wrapped in the provided resources(s). This
   // must be consistent with the type_url in the wrapper messages if
-  // envelopes is non-empty.
+  // resources is non-empty.
   string type_url = 3;
 
   // The nonce provides a way to explicitly ack a specific
@@ -106,8 +105,8 @@ message MeshConfigResponse {
 //      In this case the response_nonce is set to the nonce value in the Response.
 //      ACK or NACK is determined by the absence or presence of error_detail.
 message IncrementalMeshConfigRequest {
-  // The client making the request.
-  Client client = 1;
+  // The sink node making the request.
+  SinkNode sink_node = 1;
 
   // Type of the resource that is being requested, e.g.
   // "type.googleapis.com/istio.io.networking.v1alpha3.VirtualService".
@@ -149,10 +148,10 @@ message IncrementalMeshConfigResponse {
   // The version of the response data (used for debugging).
   string system_version_info = 1;
 
-  // The response resources wrapped in the common MCP *Envelope*
+  // The response resources wrapped in the common MCP *Resource*
   // message. These are typed resources that match the type url in the
   // IncrementalMeshConfigRequest.
-  repeated Envelope envelopes = 2 [(gogoproto.nullable) = false];
+  repeated Resource resources = 2 [(gogoproto.nullable) = false];
 
   // Resources names of resources that have be deleted and to be
   // removed from the MCP Client.  Removed resources for missing
@@ -184,3 +183,106 @@ service AggregatedMeshConfigService {
       returns (stream IncrementalMeshConfigResponse) {
   }
 }
+
+// A RequestResource can be sent in two situations:
+//
+// Initial message in an MCP bidirectional change stream
+// as an ACK or NACK response to a previous Resources. In
+// this case the response_nonce is set to the nonce value
+// in the Resources. ACK/NACK is determined by the presence
+// of error_detail.
+//
+// * ACK  (nonce!="",error_details==nil)
+// * NACK (nonce!="",error_details!=nil)
+// * New/Update request (nonce=="",error_details ignored)
+//
+message RequestResources {
+  // The sink node making the request.
+  SinkNode sink_node = 1;
+
+  // Type of resource collection that is being requested, e.g.
+  //
+  // istio/networking/v1alpha3/VirtualService
+  // k8s/<apiVersion>/<kind>
+  string collection = 2;
+
+  // When the RequestResources is the first in a stream, the initial_resource_versions must
+  // be populated. Otherwise, initial_resource_versions must be omitted. The keys are the
+  // resources names of the MCP resources known to the MCP client. The values in the map
+  // are the associated resource level version info.
+  map<string, string> initial_resource_versions = 3;
+
+  // When the RequestResources is an ACK or NACK message in response to a previous RequestResources,
+  // the response_nonce must be the nonce in the RequestResources. Otherwise response_nonce must
+  // be omitted.
+  string response_nonce = 4;
+
+  // This is populated when the previously received resources could not be applied
+  // The *message* field in *error_details* provides the source internal error
+  // related to the failure.
+  google.rpc.Status error_detail = 5;
+}
+
+// Resources do not need to include a full snapshot of the tracked
+// resources. Instead they are a diff to the state of a MCP client.
+// Per resource versions allow sources and sinks to track state at
+// the resource granularity. An MCP incremental session is always
+// in the context of a gRPC bidirectional stream. This allows the
+// MCP source to keep track of the state of MCP sink connected to
+// it.
+//
+// In Incremental MCP the nonce field is required and used to pair
+// Resources to an RequestResources ACK or NACK.
+message Resources {
+  // The version of the response data (used for debugging).
+  string system_version_info = 1;
+
+  // Type of resource collection that is being requested, e.g.
+  //
+  // istio/networking/v1alpha3/VirtualService
+  // k8s/<apiVersion>/<kind>
+  string collection = 2;
+
+  // The response resources wrapped in the common MCP *Resource* message.
+  // These are typed resources that match the type url in the
+  // RequestResources message.
+  repeated Resource resources = 3 [(gogoproto.nullable) = false];
+
+  // Names of resources that have been deleted and to be
+  // removed from the MCP sink node. Removed resources for missing
+  // resources can be ignored.
+  repeated string removed_resources = 4;
+
+  // Required. The nonce provides a way for RequestChange to uniquely
+  // reference a RequestResources.
+  string nonce = 5;
+}
+
+// ResourceSource and ResourceSink services are semantically
+// equivalent with regards to the message exchange. The only meaningful
+// difference is who initiates the connection and opens the stream. The
+// following high-level overview applies to both service variants.
+//
+// After the connection and streams have been established, the sink sends
+// a RequestResource messages to request the initial set of resources. The
+// source sends a Resource message when new resources are available for the
+// requested type. In response, the sink sends another RequestResource
+// to ACK/NACK the received resources and request the next set of resources.
+
+// Service where the sink is the gRPC client. The sink is responsible for
+// initiating connections and opening streams.
+service ResourceSource {
+  // The sink, acting as gRPC client, establishes a new resource stream
+  // with the source. The sink sends RequestResources message to
+  // and receives Resources messages from the source.
+  rpc EstablishResourceStream(stream RequestResources) returns (stream Resources) {}
+}
+
+// Service where the source is the gRPC client. The source is responsible for
+// initiating connections and opening streams.
+service ResourceSink {
+  // The source, acting as gRPC client, establishes a new resource stream
+  // with the sink. The sink sends RequestResources message to and
+  // receives Resources messages from the source.
+  rpc EstablishResourceStream(stream Resources) returns (stream RequestResources) {}
+}
diff --git a/mcp/v1alpha1/metadata.pb.go b/mcp/v1alpha1/metadata.pb.go
index 97555f1cf2..bdd4632a26 100644
--- a/mcp/v1alpha1/metadata.pb.go
+++ b/mcp/v1alpha1/metadata.pb.go
@@ -8,6 +8,7 @@ import fmt "fmt"
 import math "math"
 import _ "github.com/gogo/protobuf/gogoproto"
 import google_protobuf2 "github.com/gogo/protobuf/types"
+import _ "github.com/gogo/protobuf/types"
 
 import io "io"
 
@@ -18,16 +19,50 @@ var _ = math.Inf
 
 // Metadata information that all resources within the Mesh Configuration Protocol must have.
 type Metadata struct {
-	// The name of the resource. It is unique within the context of a
-	// resource type and the origin server of the resource. The resource
-	// type is identified by the TypeUrl of the resource field of the
-	// Envelope message.
+	// Fully qualified name of the resource. Unique in context of a collection.
+	//
+	// The fully qualified name consists of a directory and basename. The directory identifies
+	// the resources location in a resource hierarchy. The basename identifies the specific
+	// resource name within the context of that directory.
+	//
+	// The directory and basename are composed of one or more segments. Segments must be
+	// valid [DNS labels](https://tools.ietf.org/html/rfc1123). “/” is the delimiter between
+	// segments
+	//
+	// The rightmost segment is the basename. All segments to the
+	// left of the basename form the directory. Segments moving towards the left
+	// represent higher positions in the resource hierarchy, similar to reverse
+	// DNS notation. e.g.
+	//
+	//    /<org>/<team>/<subteam>/<resource basename>
+	//
+	// An empty directory indicates a resource that is located at the root of the
+	// hierarchy, e.g.
+	//
+	//    /<globally scoped resource>
+	//
+	// On Kubernetes the resource hierarchy is two-levels: namespaces and
+	// cluster-scoped (i.e. global).
+	//
+	// Namespace resources fully qualified name is of the form:
+	//
+	//    "/<k8s namespace>/<k8s resource name>"
+	//
+	// Cluster scoped resources are located at the root of the hierarchy and are of the form:
+	//
+	//    "/<k8s resource name>"
 	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
 	// The creation timestamp of the resource.
 	CreateTime *google_protobuf2.Timestamp `protobuf:"bytes,2,opt,name=create_time,json=createTime" json:"create_time,omitempty"`
-	// The resource level version. It allows MCP to track the state of
-	// individual resources.
+	// Resource version. This is used to determine when resources change across
+	// resource updates. It should be treated as opaque by consumers/sinks.
 	Version string `protobuf:"bytes,3,opt,name=version,proto3" json:"version,omitempty"`
+	// Map of string keys and values that can be used to organize and categorize
+	// resources within a collection.
+	Labels map[string]string `protobuf:"bytes,4,rep,name=labels" json:"labels,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	// Map of string keys and values that can be used by source and sink to communicate
+	// arbitrary metadata about this resource.
+	Annotations map[string]string `protobuf:"bytes,5,rep,name=annotations" json:"annotations,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
 }
 
 func (m *Metadata) Reset()                    { *m = Metadata{} }
@@ -56,6 +91,20 @@ func (m *Metadata) GetVersion() string {
 	return ""
 }
 
+func (m *Metadata) GetLabels() map[string]string {
+	if m != nil {
+		return m.Labels
+	}
+	return nil
+}
+
+func (m *Metadata) GetAnnotations() map[string]string {
+	if m != nil {
+		return m.Annotations
+	}
+	return nil
+}
+
 func init() {
 	proto.RegisterType((*Metadata)(nil), "istio.mcp.v1alpha1.Metadata")
 }
@@ -87,6 +136,22 @@ func (this *Metadata) Equal(that interface{}) bool {
 	if this.Version != that1.Version {
 		return false
 	}
+	if len(this.Labels) != len(that1.Labels) {
+		return false
+	}
+	for i := range this.Labels {
+		if this.Labels[i] != that1.Labels[i] {
+			return false
+		}
+	}
+	if len(this.Annotations) != len(that1.Annotations) {
+		return false
+	}
+	for i := range this.Annotations {
+		if this.Annotations[i] != that1.Annotations[i] {
+			return false
+		}
+	}
 	return true
 }
 func (m *Metadata) Marshal() (dAtA []byte, err error) {
@@ -126,6 +191,40 @@ func (m *Metadata) MarshalTo(dAtA []byte) (int, error) {
 		i = encodeVarintMetadata(dAtA, i, uint64(len(m.Version)))
 		i += copy(dAtA[i:], m.Version)
 	}
+	if len(m.Labels) > 0 {
+		for k, _ := range m.Labels {
+			dAtA[i] = 0x22
+			i++
+			v := m.Labels[k]
+			mapSize := 1 + len(k) + sovMetadata(uint64(len(k))) + 1 + len(v) + sovMetadata(uint64(len(v)))
+			i = encodeVarintMetadata(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintMetadata(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintMetadata(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	if len(m.Annotations) > 0 {
+		for k, _ := range m.Annotations {
+			dAtA[i] = 0x2a
+			i++
+			v := m.Annotations[k]
+			mapSize := 1 + len(k) + sovMetadata(uint64(len(k))) + 1 + len(v) + sovMetadata(uint64(len(v)))
+			i = encodeVarintMetadata(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintMetadata(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintMetadata(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
 	return i, nil
 }
 
@@ -153,6 +252,22 @@ func (m *Metadata) Size() (n int) {
 	if l > 0 {
 		n += 1 + l + sovMetadata(uint64(l))
 	}
+	if len(m.Labels) > 0 {
+		for k, v := range m.Labels {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovMetadata(uint64(len(k))) + 1 + len(v) + sovMetadata(uint64(len(v)))
+			n += mapEntrySize + 1 + sovMetadata(uint64(mapEntrySize))
+		}
+	}
+	if len(m.Annotations) > 0 {
+		for k, v := range m.Annotations {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovMetadata(uint64(len(k))) + 1 + len(v) + sovMetadata(uint64(len(v)))
+			n += mapEntrySize + 1 + sovMetadata(uint64(mapEntrySize))
+		}
+	}
 	return n
 }
 
@@ -289,6 +404,242 @@ func (m *Metadata) Unmarshal(dAtA []byte) error {
 			}
 			m.Version = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Labels", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowMetadata
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthMetadata
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Labels == nil {
+				m.Labels = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowMetadata
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowMetadata
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthMetadata
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowMetadata
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthMetadata
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipMetadata(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthMetadata
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.Labels[mapkey] = mapvalue
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Annotations", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowMetadata
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthMetadata
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Annotations == nil {
+				m.Annotations = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowMetadata
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowMetadata
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthMetadata
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowMetadata
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthMetadata
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipMetadata(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthMetadata
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.Annotations[mapkey] = mapvalue
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipMetadata(dAtA[iNdEx:])
@@ -418,19 +769,26 @@ var (
 func init() { proto.RegisterFile("mcp/v1alpha1/metadata.proto", fileDescriptorMetadata) }
 
 var fileDescriptorMetadata = []byte{
-	// 220 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x4c, 0x8f, 0xbf, 0x4e, 0xc5, 0x20,
-	0x18, 0xc5, 0x83, 0x1a, 0xff, 0x70, 0x37, 0xe2, 0x80, 0x35, 0xc1, 0x1b, 0xa7, 0x26, 0x26, 0x90,
-	0xea, 0xe8, 0xe6, 0xee, 0xd2, 0x38, 0xb9, 0x98, 0xaf, 0x15, 0x91, 0xa4, 0xf4, 0x23, 0x2d, 0xed,
-	0x33, 0xf9, 0x28, 0x8e, 0x3e, 0x82, 0xe1, 0x49, 0x4c, 0x41, 0x92, 0xbb, 0x9d, 0x03, 0x3f, 0x7e,
-	0xe4, 0xd0, 0x6b, 0xd7, 0x7b, 0xb5, 0x36, 0x30, 0xf8, 0x4f, 0x68, 0x94, 0xd3, 0x01, 0xde, 0x21,
-	0x80, 0xf4, 0x13, 0x06, 0x64, 0xcc, 0xce, 0xc1, 0xa2, 0x74, 0xbd, 0x97, 0x05, 0xa9, 0x2e, 0x0d,
-	0x1a, 0x4c, 0xd7, 0x6a, 0x4b, 0x99, 0xac, 0x6e, 0x0c, 0xa2, 0x19, 0xb4, 0x4a, 0xad, 0x5b, 0x3e,
-	0x54, 0xb0, 0x4e, 0xcf, 0x01, 0x9c, 0xcf, 0xc0, 0xed, 0x42, 0xcf, 0x9f, 0xff, 0xe5, 0x8c, 0xd1,
-	0x93, 0x11, 0x9c, 0xe6, 0x64, 0x4f, 0xea, 0x8b, 0x36, 0x65, 0xf6, 0x48, 0x77, 0xfd, 0xa4, 0x21,
-	0xe8, 0xb7, 0xed, 0x25, 0x3f, 0xda, 0x93, 0x7a, 0x77, 0x5f, 0xc9, 0xac, 0x95, 0x45, 0x2b, 0x5f,
-	0x8a, 0xb6, 0xa5, 0x19, 0xdf, 0x0e, 0x18, 0xa7, 0x67, 0xab, 0x9e, 0x66, 0x8b, 0x23, 0x3f, 0x4e,
-	0xce, 0x52, 0x9f, 0xee, 0xbe, 0xa2, 0x20, 0xdf, 0x51, 0x90, 0x9f, 0x28, 0xc8, 0x6f, 0x14, 0xe4,
-	0xf5, 0x2a, 0x6f, 0xb2, 0xa8, 0xc0, 0x5b, 0x75, 0xb8, 0xbe, 0x3b, 0x4d, 0xdf, 0x3c, 0xfc, 0x05,
-	0x00, 0x00, 0xff, 0xff, 0x35, 0xb5, 0xd4, 0xb9, 0x14, 0x01, 0x00, 0x00,
+	// 335 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x92, 0xcf, 0x4a, 0xf3, 0x40,
+	0x10, 0xc0, 0xd9, 0xa6, 0xed, 0xf7, 0x75, 0x73, 0x29, 0x4b, 0x0f, 0x31, 0x4a, 0x2c, 0x9e, 0x02,
+	0xe2, 0x2e, 0xad, 0x17, 0xff, 0x80, 0xa8, 0xe0, 0x4d, 0x11, 0x82, 0x27, 0x2f, 0x32, 0x8d, 0x6b,
+	0x5c, 0x4c, 0xb2, 0x21, 0xbb, 0x2d, 0xf4, 0xec, 0xcb, 0xf8, 0x28, 0x1e, 0x7d, 0x04, 0xc9, 0x93,
+	0x48, 0x76, 0x13, 0x0c, 0x15, 0x04, 0x6f, 0x33, 0x99, 0xdf, 0xfc, 0x26, 0x33, 0x2c, 0xde, 0xce,
+	0xe2, 0x82, 0xad, 0x66, 0x90, 0x16, 0xcf, 0x30, 0x63, 0x19, 0xd7, 0xf0, 0x08, 0x1a, 0x68, 0x51,
+	0x4a, 0x2d, 0x09, 0x11, 0x4a, 0x0b, 0x49, 0xb3, 0xb8, 0xa0, 0x2d, 0xe2, 0x4f, 0x12, 0x99, 0x48,
+	0x53, 0x66, 0x75, 0x64, 0x49, 0x7f, 0x37, 0x91, 0x32, 0x49, 0x39, 0x33, 0xd9, 0x62, 0xf9, 0xc4,
+	0xb4, 0xc8, 0xb8, 0xd2, 0x90, 0x15, 0x0d, 0xb0, 0xb3, 0x09, 0x28, 0x5d, 0x2e, 0x63, 0x6d, 0xab,
+	0x7b, 0xaf, 0x0e, 0xfe, 0x7f, 0xd3, 0xcc, 0x26, 0x04, 0xf7, 0x73, 0xc8, 0xb8, 0x87, 0xa6, 0x28,
+	0x1c, 0x45, 0x26, 0x26, 0xa7, 0xd8, 0x8d, 0x4b, 0x0e, 0x9a, 0x3f, 0xd4, 0x62, 0xaf, 0x37, 0x45,
+	0xa1, 0x3b, 0xf7, 0xa9, 0x95, 0xd2, 0x56, 0x4a, 0xef, 0xda, 0xa9, 0x11, 0xb6, 0x78, 0xfd, 0x81,
+	0x78, 0xf8, 0xdf, 0x8a, 0x97, 0x4a, 0xc8, 0xdc, 0x73, 0x8c, 0xb3, 0x4d, 0xc9, 0x39, 0x1e, 0xa6,
+	0xb0, 0xe0, 0xa9, 0xf2, 0xfa, 0x53, 0x27, 0x74, 0xe7, 0x21, 0xfd, 0xb9, 0x31, 0x6d, 0x7f, 0x8c,
+	0x5e, 0x1b, 0xf4, 0x2a, 0xd7, 0xe5, 0x3a, 0x6a, 0xfa, 0xc8, 0x2d, 0x76, 0x21, 0xcf, 0xa5, 0x06,
+	0x2d, 0x64, 0xae, 0xbc, 0x81, 0xd1, 0x1c, 0xfc, 0xaa, 0xb9, 0xf8, 0xe6, 0xad, 0xab, 0x6b, 0xf0,
+	0x8f, 0xb1, 0xdb, 0x99, 0x43, 0xc6, 0xd8, 0x79, 0xe1, 0xeb, 0xe6, 0x16, 0x75, 0x48, 0x26, 0x78,
+	0xb0, 0x82, 0x74, 0x69, 0x8f, 0x30, 0x8a, 0x6c, 0x72, 0xd2, 0x3b, 0x42, 0xfe, 0x19, 0x1e, 0x6f,
+	0xba, 0xff, 0xd2, 0x7f, 0xb9, 0xff, 0x56, 0x05, 0xe8, 0xbd, 0x0a, 0xd0, 0x47, 0x15, 0xa0, 0xcf,
+	0x2a, 0x40, 0xf7, 0x5b, 0x76, 0x0f, 0x21, 0x19, 0x14, 0x82, 0x75, 0x9f, 0xca, 0x62, 0x68, 0x8e,
+	0x7e, 0xf8, 0x15, 0x00, 0x00, 0xff, 0xff, 0xdf, 0x5a, 0x3a, 0xeb, 0x41, 0x02, 0x00, 0x00,
 }
diff --git a/mcp/v1alpha1/metadata.proto b/mcp/v1alpha1/metadata.proto
index 823d991774..e02c5da3bc 100644
--- a/mcp/v1alpha1/metadata.proto
+++ b/mcp/v1alpha1/metadata.proto
@@ -18,22 +18,59 @@ package istio.mcp.v1alpha1;
 
 import "gogoproto/gogo.proto";
 import "google/protobuf/timestamp.proto";
+import "google/protobuf/struct.proto";
 
 option go_package="istio.io/api/mcp/v1alpha1";
 option (gogoproto.equal_all) = true;
 
 // Metadata information that all resources within the Mesh Configuration Protocol must have.
 message Metadata {
-  // The name of the resource. It is unique within the context of a
-  // resource type and the origin server of the resource. The resource
-  // type is identified by the TypeUrl of the resource field of the
-  // Envelope message.
+  // Fully qualified name of the resource. Unique in context of a collection.
+  //
+  // The fully qualified name consists of a directory and basename. The directory identifies
+  // the resources location in a resource hierarchy. The basename identifies the specific
+  // resource name within the context of that directory.
+  //
+  // The directory and basename are composed of one or more segments. Segments must be
+  // valid [DNS labels](https://tools.ietf.org/html/rfc1123). “/” is the delimiter between
+  // segments
+  //
+  // The rightmost segment is the basename. All segments to the
+  // left of the basename form the directory. Segments moving towards the left
+  // represent higher positions in the resource hierarchy, similar to reverse
+  // DNS notation. e.g.
+  //
+  //    /<org>/<team>/<subteam>/<resource basename>
+  //
+  // An empty directory indicates a resource that is located at the root of the
+  // hierarchy, e.g.
+  //
+  //    /<globally scoped resource>
+  //
+  // On Kubernetes the resource hierarchy is two-levels: namespaces and
+  // cluster-scoped (i.e. global).
+  //
+  // Namespace resources fully qualified name is of the form:
+  //
+  //    "/<k8s namespace>/<k8s resource name>"
+  //
+  // Cluster scoped resources are located at the root of the hierarchy and are of the form:
+  //
+  //    "/<k8s resource name>"
   string name = 1;
 
   // The creation timestamp of the resource.
   google.protobuf.Timestamp create_time = 2;
 
-  // The resource level version. It allows MCP to track the state of
-  // individual resources.
+  // Resource version. This is used to determine when resources change across
+  // resource updates. It should be treated as opaque by consumers/sinks.
   string version = 3;
+
+  // Map of string keys and values that can be used to organize and categorize
+  // resources within a collection.
+  map<string,string> labels = 4;
+
+  // Map of string keys and values that can be used by source and sink to communicate
+  // arbitrary metadata about this resource.
+  map<string,string> annotations = 5;
 }
diff --git a/mcp/v1alpha1/envelope.pb.go b/mcp/v1alpha1/resource.pb.go
similarity index 56%
rename from mcp/v1alpha1/envelope.pb.go
rename to mcp/v1alpha1/resource.pb.go
index 3eae73c787..9ea11cf6d3 100644
--- a/mcp/v1alpha1/envelope.pb.go
+++ b/mcp/v1alpha1/resource.pb.go
@@ -1,25 +1,6 @@
 // Code generated by protoc-gen-gogo. DO NOT EDIT.
-// source: mcp/v1alpha1/envelope.proto
+// source: mcp/v1alpha1/resource.proto
 
-/*
-	Package v1alpha1 is a generated protocol buffer package.
-
-	This package defines the common, core types used by the Mesh Configuration Protocol.
-
-	It is generated from these files:
-		mcp/v1alpha1/envelope.proto
-		mcp/v1alpha1/mcp.proto
-		mcp/v1alpha1/metadata.proto
-
-	It has these top-level messages:
-		Envelope
-		Client
-		MeshConfigRequest
-		MeshConfigResponse
-		IncrementalMeshConfigRequest
-		IncrementalMeshConfigResponse
-		Metadata
-*/
 package v1alpha1
 
 import proto "github.com/gogo/protobuf/proto"
@@ -35,51 +16,45 @@ var _ = proto.Marshal
 var _ = fmt.Errorf
 var _ = math.Inf
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
-
-// Envelope for a configuration resource as transferred via the Mesh Configuration Protocol.
-// Each envelope is made up of common metadata, and a type-specific resource payload.
-type Envelope struct {
+// Resource as transferred via the Mesh Configuration Protocol. Each
+// resource is made up of common metadata, and a type-specific resource payload.
+type Resource struct {
 	// Common metadata describing the resource.
 	Metadata *Metadata `protobuf:"bytes,1,opt,name=metadata" json:"metadata,omitempty"`
-	// The resource itself.
-	Resource *google_protobuf.Any `protobuf:"bytes,2,opt,name=resource" json:"resource,omitempty"`
+	// The primary payload for the resource.
+	Body *google_protobuf.Any `protobuf:"bytes,2,opt,name=body" json:"body,omitempty"`
 }
 
-func (m *Envelope) Reset()                    { *m = Envelope{} }
-func (m *Envelope) String() string            { return proto.CompactTextString(m) }
-func (*Envelope) ProtoMessage()               {}
-func (*Envelope) Descriptor() ([]byte, []int) { return fileDescriptorEnvelope, []int{0} }
+func (m *Resource) Reset()                    { *m = Resource{} }
+func (m *Resource) String() string            { return proto.CompactTextString(m) }
+func (*Resource) ProtoMessage()               {}
+func (*Resource) Descriptor() ([]byte, []int) { return fileDescriptorResource, []int{0} }
 
-func (m *Envelope) GetMetadata() *Metadata {
+func (m *Resource) GetMetadata() *Metadata {
 	if m != nil {
 		return m.Metadata
 	}
 	return nil
 }
 
-func (m *Envelope) GetResource() *google_protobuf.Any {
+func (m *Resource) GetBody() *google_protobuf.Any {
 	if m != nil {
-		return m.Resource
+		return m.Body
 	}
 	return nil
 }
 
 func init() {
-	proto.RegisterType((*Envelope)(nil), "istio.mcp.v1alpha1.Envelope")
+	proto.RegisterType((*Resource)(nil), "istio.mcp.v1alpha1.Resource")
 }
-func (this *Envelope) Equal(that interface{}) bool {
+func (this *Resource) Equal(that interface{}) bool {
 	if that == nil {
 		return this == nil
 	}
 
-	that1, ok := that.(*Envelope)
+	that1, ok := that.(*Resource)
 	if !ok {
-		that2, ok := that.(Envelope)
+		that2, ok := that.(Resource)
 		if ok {
 			that1 = &that2
 		} else {
@@ -94,12 +69,12 @@ func (this *Envelope) Equal(that interface{}) bool {
 	if !this.Metadata.Equal(that1.Metadata) {
 		return false
 	}
-	if !this.Resource.Equal(that1.Resource) {
+	if !this.Body.Equal(that1.Body) {
 		return false
 	}
 	return true
 }
-func (m *Envelope) Marshal() (dAtA []byte, err error) {
+func (m *Resource) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
 	dAtA = make([]byte, size)
 	n, err := m.MarshalTo(dAtA)
@@ -109,7 +84,7 @@ func (m *Envelope) Marshal() (dAtA []byte, err error) {
 	return dAtA[:n], nil
 }
 
-func (m *Envelope) MarshalTo(dAtA []byte) (int, error) {
+func (m *Resource) MarshalTo(dAtA []byte) (int, error) {
 	var i int
 	_ = i
 	var l int
@@ -117,18 +92,18 @@ func (m *Envelope) MarshalTo(dAtA []byte) (int, error) {
 	if m.Metadata != nil {
 		dAtA[i] = 0xa
 		i++
-		i = encodeVarintEnvelope(dAtA, i, uint64(m.Metadata.Size()))
+		i = encodeVarintResource(dAtA, i, uint64(m.Metadata.Size()))
 		n1, err := m.Metadata.MarshalTo(dAtA[i:])
 		if err != nil {
 			return 0, err
 		}
 		i += n1
 	}
-	if m.Resource != nil {
+	if m.Body != nil {
 		dAtA[i] = 0x12
 		i++
-		i = encodeVarintEnvelope(dAtA, i, uint64(m.Resource.Size()))
-		n2, err := m.Resource.MarshalTo(dAtA[i:])
+		i = encodeVarintResource(dAtA, i, uint64(m.Body.Size()))
+		n2, err := m.Body.MarshalTo(dAtA[i:])
 		if err != nil {
 			return 0, err
 		}
@@ -137,7 +112,7 @@ func (m *Envelope) MarshalTo(dAtA []byte) (int, error) {
 	return i, nil
 }
 
-func encodeVarintEnvelope(dAtA []byte, offset int, v uint64) int {
+func encodeVarintResource(dAtA []byte, offset int, v uint64) int {
 	for v >= 1<<7 {
 		dAtA[offset] = uint8(v&0x7f | 0x80)
 		v >>= 7
@@ -146,21 +121,21 @@ func encodeVarintEnvelope(dAtA []byte, offset int, v uint64) int {
 	dAtA[offset] = uint8(v)
 	return offset + 1
 }
-func (m *Envelope) Size() (n int) {
+func (m *Resource) Size() (n int) {
 	var l int
 	_ = l
 	if m.Metadata != nil {
 		l = m.Metadata.Size()
-		n += 1 + l + sovEnvelope(uint64(l))
+		n += 1 + l + sovResource(uint64(l))
 	}
-	if m.Resource != nil {
-		l = m.Resource.Size()
-		n += 1 + l + sovEnvelope(uint64(l))
+	if m.Body != nil {
+		l = m.Body.Size()
+		n += 1 + l + sovResource(uint64(l))
 	}
 	return n
 }
 
-func sovEnvelope(x uint64) (n int) {
+func sovResource(x uint64) (n int) {
 	for {
 		n++
 		x >>= 7
@@ -170,10 +145,10 @@ func sovEnvelope(x uint64) (n int) {
 	}
 	return n
 }
-func sozEnvelope(x uint64) (n int) {
-	return sovEnvelope(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+func sozResource(x uint64) (n int) {
+	return sovResource(uint64((x << 1) ^ uint64((int64(x) >> 63))))
 }
-func (m *Envelope) Unmarshal(dAtA []byte) error {
+func (m *Resource) Unmarshal(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
 	for iNdEx < l {
@@ -181,7 +156,7 @@ func (m *Envelope) Unmarshal(dAtA []byte) error {
 		var wire uint64
 		for shift := uint(0); ; shift += 7 {
 			if shift >= 64 {
-				return ErrIntOverflowEnvelope
+				return ErrIntOverflowResource
 			}
 			if iNdEx >= l {
 				return io.ErrUnexpectedEOF
@@ -196,10 +171,10 @@ func (m *Envelope) Unmarshal(dAtA []byte) error {
 		fieldNum := int32(wire >> 3)
 		wireType := int(wire & 0x7)
 		if wireType == 4 {
-			return fmt.Errorf("proto: Envelope: wiretype end group for non-group")
+			return fmt.Errorf("proto: Resource: wiretype end group for non-group")
 		}
 		if fieldNum <= 0 {
-			return fmt.Errorf("proto: Envelope: illegal tag %d (wire type %d)", fieldNum, wire)
+			return fmt.Errorf("proto: Resource: illegal tag %d (wire type %d)", fieldNum, wire)
 		}
 		switch fieldNum {
 		case 1:
@@ -209,7 +184,7 @@ func (m *Envelope) Unmarshal(dAtA []byte) error {
 			var msglen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
-					return ErrIntOverflowEnvelope
+					return ErrIntOverflowResource
 				}
 				if iNdEx >= l {
 					return io.ErrUnexpectedEOF
@@ -222,7 +197,7 @@ func (m *Envelope) Unmarshal(dAtA []byte) error {
 				}
 			}
 			if msglen < 0 {
-				return ErrInvalidLengthEnvelope
+				return ErrInvalidLengthResource
 			}
 			postIndex := iNdEx + msglen
 			if postIndex > l {
@@ -237,12 +212,12 @@ func (m *Envelope) Unmarshal(dAtA []byte) error {
 			iNdEx = postIndex
 		case 2:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Resource", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Body", wireType)
 			}
 			var msglen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
-					return ErrIntOverflowEnvelope
+					return ErrIntOverflowResource
 				}
 				if iNdEx >= l {
 					return io.ErrUnexpectedEOF
@@ -255,27 +230,27 @@ func (m *Envelope) Unmarshal(dAtA []byte) error {
 				}
 			}
 			if msglen < 0 {
-				return ErrInvalidLengthEnvelope
+				return ErrInvalidLengthResource
 			}
 			postIndex := iNdEx + msglen
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			if m.Resource == nil {
-				m.Resource = &google_protobuf.Any{}
+			if m.Body == nil {
+				m.Body = &google_protobuf.Any{}
 			}
-			if err := m.Resource.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+			if err := m.Body.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
 				return err
 			}
 			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
-			skippy, err := skipEnvelope(dAtA[iNdEx:])
+			skippy, err := skipResource(dAtA[iNdEx:])
 			if err != nil {
 				return err
 			}
 			if skippy < 0 {
-				return ErrInvalidLengthEnvelope
+				return ErrInvalidLengthResource
 			}
 			if (iNdEx + skippy) > l {
 				return io.ErrUnexpectedEOF
@@ -289,14 +264,14 @@ func (m *Envelope) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
-func skipEnvelope(dAtA []byte) (n int, err error) {
+func skipResource(dAtA []byte) (n int, err error) {
 	l := len(dAtA)
 	iNdEx := 0
 	for iNdEx < l {
 		var wire uint64
 		for shift := uint(0); ; shift += 7 {
 			if shift >= 64 {
-				return 0, ErrIntOverflowEnvelope
+				return 0, ErrIntOverflowResource
 			}
 			if iNdEx >= l {
 				return 0, io.ErrUnexpectedEOF
@@ -313,7 +288,7 @@ func skipEnvelope(dAtA []byte) (n int, err error) {
 		case 0:
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
-					return 0, ErrIntOverflowEnvelope
+					return 0, ErrIntOverflowResource
 				}
 				if iNdEx >= l {
 					return 0, io.ErrUnexpectedEOF
@@ -331,7 +306,7 @@ func skipEnvelope(dAtA []byte) (n int, err error) {
 			var length int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
-					return 0, ErrIntOverflowEnvelope
+					return 0, ErrIntOverflowResource
 				}
 				if iNdEx >= l {
 					return 0, io.ErrUnexpectedEOF
@@ -345,7 +320,7 @@ func skipEnvelope(dAtA []byte) (n int, err error) {
 			}
 			iNdEx += length
 			if length < 0 {
-				return 0, ErrInvalidLengthEnvelope
+				return 0, ErrInvalidLengthResource
 			}
 			return iNdEx, nil
 		case 3:
@@ -354,7 +329,7 @@ func skipEnvelope(dAtA []byte) (n int, err error) {
 				var start int = iNdEx
 				for shift := uint(0); ; shift += 7 {
 					if shift >= 64 {
-						return 0, ErrIntOverflowEnvelope
+						return 0, ErrIntOverflowResource
 					}
 					if iNdEx >= l {
 						return 0, io.ErrUnexpectedEOF
@@ -370,7 +345,7 @@ func skipEnvelope(dAtA []byte) (n int, err error) {
 				if innerWireType == 4 {
 					break
 				}
-				next, err := skipEnvelope(dAtA[start:])
+				next, err := skipResource(dAtA[start:])
 				if err != nil {
 					return 0, err
 				}
@@ -390,26 +365,25 @@ func skipEnvelope(dAtA []byte) (n int, err error) {
 }
 
 var (
-	ErrInvalidLengthEnvelope = fmt.Errorf("proto: negative length found during unmarshaling")
-	ErrIntOverflowEnvelope   = fmt.Errorf("proto: integer overflow")
+	ErrInvalidLengthResource = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowResource   = fmt.Errorf("proto: integer overflow")
 )
 
-func init() { proto.RegisterFile("mcp/v1alpha1/envelope.proto", fileDescriptorEnvelope) }
+func init() { proto.RegisterFile("mcp/v1alpha1/resource.proto", fileDescriptorResource) }
 
-var fileDescriptorEnvelope = []byte{
-	// 211 bytes of a gzipped FileDescriptorProto
+var fileDescriptorResource = []byte{
+	// 207 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0x92, 0xce, 0x4d, 0x2e, 0xd0,
-	0x2f, 0x33, 0x4c, 0xcc, 0x29, 0xc8, 0x48, 0x34, 0xd4, 0x4f, 0xcd, 0x2b, 0x4b, 0xcd, 0xc9, 0x2f,
-	0x48, 0xd5, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x12, 0xca, 0x2c, 0x2e, 0xc9, 0xcc, 0xd7, 0xcb,
+	0x2f, 0x33, 0x4c, 0xcc, 0x29, 0xc8, 0x48, 0x34, 0xd4, 0x2f, 0x4a, 0x2d, 0xce, 0x2f, 0x2d, 0x4a,
+	0x4e, 0xd5, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x12, 0xca, 0x2c, 0x2e, 0xc9, 0xcc, 0xd7, 0xcb,
 	0x4d, 0x2e, 0xd0, 0x83, 0x29, 0x91, 0x92, 0x4c, 0xcf, 0xcf, 0x4f, 0xcf, 0x49, 0xd5, 0x07, 0xab,
 	0x48, 0x2a, 0x4d, 0xd3, 0x4f, 0xcc, 0xab, 0x84, 0x28, 0x97, 0x12, 0x49, 0xcf, 0x4f, 0xcf, 0x07,
 	0x33, 0xf5, 0x41, 0x2c, 0xa8, 0x28, 0xaa, 0x0d, 0xb9, 0xa9, 0x25, 0x89, 0x29, 0x89, 0x25, 0x89,
-	0x10, 0x49, 0xa5, 0x32, 0x2e, 0x0e, 0x57, 0xa8, 0x9d, 0x42, 0x16, 0x5c, 0x1c, 0x30, 0x59, 0x09,
+	0x10, 0x49, 0xa5, 0x3c, 0x2e, 0x8e, 0x20, 0xa8, 0x9d, 0x42, 0x16, 0x5c, 0x1c, 0x30, 0x59, 0x09,
 	0x46, 0x05, 0x46, 0x0d, 0x6e, 0x23, 0x19, 0x3d, 0x4c, 0x07, 0xe8, 0xf9, 0x42, 0xd5, 0x04, 0xc1,
-	0x55, 0x0b, 0x19, 0x70, 0x71, 0x14, 0xa5, 0x16, 0xe7, 0x97, 0x16, 0x25, 0xa7, 0x4a, 0x30, 0x81,
-	0x75, 0x8a, 0xe8, 0x41, 0x9c, 0xa9, 0x07, 0x73, 0xa6, 0x9e, 0x63, 0x5e, 0x65, 0x10, 0x5c, 0x95,
-	0x93, 0xf6, 0x8a, 0x47, 0x72, 0x8c, 0x27, 0x1e, 0xc9, 0x31, 0x5e, 0x78, 0x24, 0xc7, 0xf8, 0xe0,
-	0x91, 0x1c, 0x63, 0x94, 0x24, 0xc4, 0xaa, 0xcc, 0x7c, 0xfd, 0xc4, 0x82, 0x4c, 0x7d, 0x64, 0x37,
-	0x27, 0xb1, 0x81, 0x0d, 0x31, 0x06, 0x04, 0x00, 0x00, 0xff, 0xff, 0x02, 0xf2, 0x13, 0xb4, 0x2c,
-	0x01, 0x00, 0x00,
+	0x55, 0x0b, 0x69, 0x70, 0xb1, 0x24, 0xe5, 0xa7, 0x54, 0x4a, 0x30, 0x81, 0x75, 0x89, 0xe8, 0x41,
+	0x9c, 0xa8, 0x07, 0x73, 0xa2, 0x9e, 0x63, 0x5e, 0x65, 0x10, 0x58, 0x85, 0x93, 0xf6, 0x8a, 0x47,
+	0x72, 0x8c, 0x27, 0x1e, 0xc9, 0x31, 0x5e, 0x78, 0x24, 0xc7, 0xf8, 0xe0, 0x91, 0x1c, 0x63, 0x94,
+	0x24, 0xc4, 0x8a, 0xcc, 0x7c, 0xfd, 0xc4, 0x82, 0x4c, 0x7d, 0x64, 0xb7, 0x26, 0xb1, 0x81, 0x0d,
+	0x30, 0x06, 0x04, 0x00, 0x00, 0xff, 0xff, 0xd3, 0xae, 0x63, 0x31, 0x24, 0x01, 0x00, 0x00,
 }
diff --git a/mcp/v1alpha1/envelope.proto b/mcp/v1alpha1/resource.proto
similarity index 79%
rename from mcp/v1alpha1/envelope.proto
rename to mcp/v1alpha1/resource.proto
index 28ba4ca8ef..0698bb32bf 100644
--- a/mcp/v1alpha1/envelope.proto
+++ b/mcp/v1alpha1/resource.proto
@@ -24,12 +24,12 @@ import "mcp/v1alpha1/metadata.proto";
 option go_package="istio.io/api/mcp/v1alpha1";
 option (gogoproto.equal_all) = true;
 
-// Envelope for a configuration resource as transferred via the Mesh Configuration Protocol.
-// Each envelope is made up of common metadata, and a type-specific resource payload.
-message Envelope {
+// Resource as transferred via the Mesh Configuration Protocol. Each
+// resource is made up of common metadata, and a type-specific resource payload.
+message Resource {
     // Common metadata describing the resource.
     istio.mcp.v1alpha1.Metadata metadata = 1;
 
-    // The resource itself.
-    google.protobuf.Any resource = 2;
+    // The primary payload for the resource.
+    google.protobuf.Any body = 2;
 }
diff --git a/proto.lock b/proto.lock
index 95cf510647..537573d06c 100644
--- a/proto.lock
+++ b/proto.lock
@@ -417,44 +417,27 @@
         ]
       }
     },
-    {
-      "protopath": "mcp:/:v1alpha1:/:envelope.proto",
-      "def": {
-        "messages": [
-          {
-            "name": "Envelope",
-            "fields": [
-              {
-                "id": 1,
-                "name": "metadata",
-                "type": "istio.mcp.v1alpha1.Metadata"
-              },
-              {
-                "id": 2,
-                "name": "resource",
-                "type": "google.protobuf.Any"
-              }
-            ]
-          }
-        ]
-      }
-    },
     {
       "protopath": "mcp:/:v1alpha1:/:mcp.proto",
       "def": {
         "messages": [
           {
-            "name": "Client",
+            "name": "SinkNode",
             "fields": [
               {
                 "id": 1,
                 "name": "id",
                 "type": "string"
-              },
+              }
+            ],
+            "maps": [
               {
-                "id": 2,
-                "name": "metadata",
-                "type": "google.protobuf.Struct"
+                "key_type": "string",
+                "field": {
+                  "id": 2,
+                  "name": "annotations",
+                  "type": "string"
+                }
               }
             ]
           },
@@ -468,8 +451,8 @@
               },
               {
                 "id": 2,
-                "name": "client",
-                "type": "Client"
+                "name": "sink_node",
+                "type": "SinkNode"
               },
               {
                 "id": 3,
@@ -498,8 +481,8 @@
               },
               {
                 "id": 2,
-                "name": "envelopes",
-                "type": "Envelope",
+                "name": "resources",
+                "type": "Resource",
                 "is_repeated": true
               },
               {
@@ -519,8 +502,8 @@
             "fields": [
               {
                 "id": 1,
-                "name": "client",
-                "type": "Client"
+                "name": "sink_node",
+                "type": "SinkNode"
               },
               {
                 "id": 2,
@@ -559,8 +542,8 @@
               },
               {
                 "id": 2,
-                "name": "envelopes",
-                "type": "Envelope",
+                "name": "resources",
+                "type": "Resource",
                 "is_repeated": true
               },
               {
@@ -575,6 +558,73 @@
                 "type": "string"
               }
             ]
+          },
+          {
+            "name": "RequestResources",
+            "fields": [
+              {
+                "id": 1,
+                "name": "sink_node",
+                "type": "SinkNode"
+              },
+              {
+                "id": 2,
+                "name": "collection",
+                "type": "string"
+              },
+              {
+                "id": 4,
+                "name": "response_nonce",
+                "type": "string"
+              },
+              {
+                "id": 5,
+                "name": "error_detail",
+                "type": "google.rpc.Status"
+              }
+            ],
+            "maps": [
+              {
+                "key_type": "string",
+                "field": {
+                  "id": 3,
+                  "name": "initial_resource_versions",
+                  "type": "string"
+                }
+              }
+            ]
+          },
+          {
+            "name": "Resources",
+            "fields": [
+              {
+                "id": 1,
+                "name": "system_version_info",
+                "type": "string"
+              },
+              {
+                "id": 2,
+                "name": "collection",
+                "type": "string"
+              },
+              {
+                "id": 3,
+                "name": "resources",
+                "type": "Resource",
+                "is_repeated": true
+              },
+              {
+                "id": 4,
+                "name": "removed_resources",
+                "type": "string",
+                "is_repeated": true
+              },
+              {
+                "id": 5,
+                "name": "nonce",
+                "type": "string"
+              }
+            ]
           }
         ],
         "services": [
@@ -596,6 +646,30 @@
                 "out_streamed": true
               }
             ]
+          },
+          {
+            "name": "ResourceSource",
+            "rpcs": [
+              {
+                "name": "EstablishResourceStream",
+                "in_type": "RequestResources",
+                "out_type": "Resources",
+                "in_streamed": true,
+                "out_streamed": true
+              }
+            ]
+          },
+          {
+            "name": "ResourceSink",
+            "rpcs": [
+              {
+                "name": "EstablishResourceStream",
+                "in_type": "Resources",
+                "out_type": "RequestResources",
+                "in_streamed": true,
+                "out_streamed": true
+              }
+            ]
           }
         ]
       }
@@ -622,6 +696,46 @@
                 "name": "version",
                 "type": "string"
               }
+            ],
+            "maps": [
+              {
+                "key_type": "string",
+                "field": {
+                  "id": 4,
+                  "name": "labels",
+                  "type": "string"
+                }
+              },
+              {
+                "key_type": "string",
+                "field": {
+                  "id": 5,
+                  "name": "annotations",
+                  "type": "string"
+                }
+              }
+            ]
+          }
+        ]
+      }
+    },
+    {
+      "protopath": "mcp:/:v1alpha1:/:resource.proto",
+      "def": {
+        "messages": [
+          {
+            "name": "Resource",
+            "fields": [
+              {
+                "id": 1,
+                "name": "metadata",
+                "type": "istio.mcp.v1alpha1.Metadata"
+              },
+              {
+                "id": 2,
+                "name": "body",
+                "type": "google.protobuf.Any"
+              }
             ]
           }
         ]
diff --git a/prototool.yaml b/prototool.yaml
index 57e67aac35..ebf22bd55b 100644
--- a/prototool.yaml
+++ b/prototool.yaml
@@ -13,6 +13,9 @@ lint:
     - id: ENUM_FIELD_NAMES_UPPER_SNAKE_CASE
       files:
         - networking/v1alpha3/gateway.proto
+    - id: REQUEST_RESPONSE_TYPES_UNIQUE
+      files:
+        - mcp/v1alpha1/mcp.proto
 
   # Linter rules.
   rules:
diff --git a/python/istio_api/mcp/v1alpha1/mcp_pb2.py b/python/istio_api/mcp/v1alpha1/mcp_pb2.py
index f49155f7a6..c380d4d828 100644
--- a/python/istio_api/mcp/v1alpha1/mcp_pb2.py
+++ b/python/istio_api/mcp/v1alpha1/mcp_pb2.py
@@ -13,41 +13,40 @@
 _sym_db = _symbol_database.Default()
 
 
-from google.protobuf import struct_pb2 as google_dot_protobuf_dot_struct__pb2
 from google.rpc import status_pb2 as google_dot_rpc_dot_status__pb2
 from gogoproto import gogo_pb2 as gogoproto_dot_gogo__pb2
-from mcp.v1alpha1 import envelope_pb2 as mcp_dot_v1alpha1_dot_envelope__pb2
+from mcp.v1alpha1 import resource_pb2 as mcp_dot_v1alpha1_dot_resource__pb2
 
 
 DESCRIPTOR = _descriptor.FileDescriptor(
   name='mcp/v1alpha1/mcp.proto',
   package='istio.mcp.v1alpha1',
   syntax='proto3',
-  serialized_pb=_b('\n\x16mcp/v1alpha1/mcp.proto\x12\x12istio.mcp.v1alpha1\x1a\x1cgoogle/protobuf/struct.proto\x1a\x17google/rpc/status.proto\x1a\x14gogoproto/gogo.proto\x1a\x1bmcp/v1alpha1/envelope.proto\"?\n\x06\x43lient\x12\n\n\x02id\x18\x01 \x01(\t\x12)\n\x08metadata\x18\x02 \x01(\x0b\x32\x17.google.protobuf.Struct\"\xa9\x01\n\x11MeshConfigRequest\x12\x14\n\x0cversion_info\x18\x01 \x01(\t\x12*\n\x06\x63lient\x18\x02 \x01(\x0b\x32\x1a.istio.mcp.v1alpha1.Client\x12\x10\n\x08type_url\x18\x03 \x01(\t\x12\x16\n\x0eresponse_nonce\x18\x04 \x01(\t\x12(\n\x0c\x65rror_detail\x18\x05 \x01(\x0b\x32\x12.google.rpc.Status\"\x82\x01\n\x12MeshConfigResponse\x12\x14\n\x0cversion_info\x18\x01 \x01(\t\x12\x35\n\tenvelopes\x18\x02 \x03(\x0b\x32\x1c.istio.mcp.v1alpha1.EnvelopeB\x04\xc8\xde\x1f\x00\x12\x10\n\x08type_url\x18\x03 \x01(\t\x12\r\n\x05nonce\x18\x04 \x01(\t\"\xd0\x02\n\x1cIncrementalMeshConfigRequest\x12*\n\x06\x63lient\x18\x01 \x01(\x0b\x32\x1a.istio.mcp.v1alpha1.Client\x12\x10\n\x08type_url\x18\x02 \x01(\t\x12p\n\x19initial_resource_versions\x18\x03 \x03(\x0b\x32M.istio.mcp.v1alpha1.IncrementalMeshConfigRequest.InitialResourceVersionsEntry\x12\x16\n\x0eresponse_nonce\x18\x04 \x01(\t\x12(\n\x0c\x65rror_detail\x18\x05 \x01(\x0b\x32\x12.google.rpc.Status\x1a>\n\x1cInitialResourceVersionsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\x9d\x01\n\x1dIncrementalMeshConfigResponse\x12\x1b\n\x13system_version_info\x18\x01 \x01(\t\x12\x35\n\tenvelopes\x18\x02 \x03(\x0b\x32\x1c.istio.mcp.v1alpha1.EnvelopeB\x04\xc8\xde\x1f\x00\x12\x19\n\x11removed_resources\x18\x03 \x03(\t\x12\r\n\x05nonce\x18\x04 \x01(\t2\x9d\x02\n\x1b\x41ggregatedMeshConfigService\x12p\n\x19StreamAggregatedResources\x12%.istio.mcp.v1alpha1.MeshConfigRequest\x1a&.istio.mcp.v1alpha1.MeshConfigResponse\"\x00(\x01\x30\x01\x12\x8b\x01\n\x1eIncrementalAggregatedResources\x12\x30.istio.mcp.v1alpha1.IncrementalMeshConfigRequest\x1a\x31.istio.mcp.v1alpha1.IncrementalMeshConfigResponse\"\x00(\x01\x30\x01\x42\x1fZ\x19istio.io/api/mcp/v1alpha1\xa8\xe2\x1e\x01\x62\x06proto3')
+  serialized_pb=_b('\n\x16mcp/v1alpha1/mcp.proto\x12\x12istio.mcp.v1alpha1\x1a\x17google/rpc/status.proto\x1a\x14gogoproto/gogo.proto\x1a\x1bmcp/v1alpha1/resource.proto\"\x8e\x01\n\x08SinkNode\x12\n\n\x02id\x18\x01 \x01(\t\x12\x42\n\x0b\x61nnotations\x18\x02 \x03(\x0b\x32-.istio.mcp.v1alpha1.SinkNode.AnnotationsEntry\x1a\x32\n\x10\x41nnotationsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\xae\x01\n\x11MeshConfigRequest\x12\x14\n\x0cversion_info\x18\x01 \x01(\t\x12/\n\tsink_node\x18\x02 \x01(\x0b\x32\x1c.istio.mcp.v1alpha1.SinkNode\x12\x10\n\x08type_url\x18\x03 \x01(\t\x12\x16\n\x0eresponse_nonce\x18\x04 \x01(\t\x12(\n\x0c\x65rror_detail\x18\x05 \x01(\x0b\x32\x12.google.rpc.Status\"\x82\x01\n\x12MeshConfigResponse\x12\x14\n\x0cversion_info\x18\x01 \x01(\t\x12\x35\n\tresources\x18\x02 \x03(\x0b\x32\x1c.istio.mcp.v1alpha1.ResourceB\x04\xc8\xde\x1f\x00\x12\x10\n\x08type_url\x18\x03 \x01(\t\x12\r\n\x05nonce\x18\x04 \x01(\t\"\xd5\x02\n\x1cIncrementalMeshConfigRequest\x12/\n\tsink_node\x18\x01 \x01(\x0b\x32\x1c.istio.mcp.v1alpha1.SinkNode\x12\x10\n\x08type_url\x18\x02 \x01(\t\x12p\n\x19initial_resource_versions\x18\x03 \x03(\x0b\x32M.istio.mcp.v1alpha1.IncrementalMeshConfigRequest.InitialResourceVersionsEntry\x12\x16\n\x0eresponse_nonce\x18\x04 \x01(\t\x12(\n\x0c\x65rror_detail\x18\x05 \x01(\x0b\x32\x12.google.rpc.Status\x1a>\n\x1cInitialResourceVersionsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\x9d\x01\n\x1dIncrementalMeshConfigResponse\x12\x1b\n\x13system_version_info\x18\x01 \x01(\t\x12\x35\n\tresources\x18\x02 \x03(\x0b\x32\x1c.istio.mcp.v1alpha1.ResourceB\x04\xc8\xde\x1f\x00\x12\x19\n\x11removed_resources\x18\x03 \x03(\t\x12\r\n\x05nonce\x18\x04 \x01(\t\"\xbf\x02\n\x10RequestResources\x12/\n\tsink_node\x18\x01 \x01(\x0b\x32\x1c.istio.mcp.v1alpha1.SinkNode\x12\x12\n\ncollection\x18\x02 \x01(\t\x12\x64\n\x19initial_resource_versions\x18\x03 \x03(\x0b\x32\x41.istio.mcp.v1alpha1.RequestResources.InitialResourceVersionsEntry\x12\x16\n\x0eresponse_nonce\x18\x04 \x01(\t\x12(\n\x0c\x65rror_detail\x18\x05 \x01(\x0b\x32\x12.google.rpc.Status\x1a>\n\x1cInitialResourceVersionsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\x9d\x01\n\tResources\x12\x1b\n\x13system_version_info\x18\x01 \x01(\t\x12\x12\n\ncollection\x18\x02 \x01(\t\x12\x35\n\tresources\x18\x03 \x03(\x0b\x32\x1c.istio.mcp.v1alpha1.ResourceB\x04\xc8\xde\x1f\x00\x12\x19\n\x11removed_resources\x18\x04 \x03(\t\x12\r\n\x05nonce\x18\x05 \x01(\t2\x9d\x02\n\x1b\x41ggregatedMeshConfigService\x12p\n\x19StreamAggregatedResources\x12%.istio.mcp.v1alpha1.MeshConfigRequest\x1a&.istio.mcp.v1alpha1.MeshConfigResponse\"\x00(\x01\x30\x01\x12\x8b\x01\n\x1eIncrementalAggregatedResources\x12\x30.istio.mcp.v1alpha1.IncrementalMeshConfigRequest\x1a\x31.istio.mcp.v1alpha1.IncrementalMeshConfigResponse\"\x00(\x01\x30\x01\x32v\n\x0eResourceSource\x12\x64\n\x17\x45stablishResourceStream\x12$.istio.mcp.v1alpha1.RequestResources\x1a\x1d.istio.mcp.v1alpha1.Resources\"\x00(\x01\x30\x01\x32t\n\x0cResourceSink\x12\x64\n\x17\x45stablishResourceStream\x12\x1d.istio.mcp.v1alpha1.Resources\x1a$.istio.mcp.v1alpha1.RequestResources\"\x00(\x01\x30\x01\x42\x1fZ\x19istio.io/api/mcp/v1alpha1\xa8\xe2\x1e\x01\x62\x06proto3')
   ,
-  dependencies=[google_dot_protobuf_dot_struct__pb2.DESCRIPTOR,google_dot_rpc_dot_status__pb2.DESCRIPTOR,gogoproto_dot_gogo__pb2.DESCRIPTOR,mcp_dot_v1alpha1_dot_envelope__pb2.DESCRIPTOR,])
+  dependencies=[google_dot_rpc_dot_status__pb2.DESCRIPTOR,gogoproto_dot_gogo__pb2.DESCRIPTOR,mcp_dot_v1alpha1_dot_resource__pb2.DESCRIPTOR,])
 
 
 
 
-_CLIENT = _descriptor.Descriptor(
-  name='Client',
-  full_name='istio.mcp.v1alpha1.Client',
+_SINKNODE_ANNOTATIONSENTRY = _descriptor.Descriptor(
+  name='AnnotationsEntry',
+  full_name='istio.mcp.v1alpha1.SinkNode.AnnotationsEntry',
   filename=None,
   file=DESCRIPTOR,
   containing_type=None,
   fields=[
     _descriptor.FieldDescriptor(
-      name='id', full_name='istio.mcp.v1alpha1.Client.id', index=0,
+      name='key', full_name='istio.mcp.v1alpha1.SinkNode.AnnotationsEntry.key', index=0,
       number=1, type=9, cpp_type=9, label=1,
       has_default_value=False, default_value=_b("").decode('utf-8'),
       message_type=None, enum_type=None, containing_type=None,
       is_extension=False, extension_scope=None,
       options=None, file=DESCRIPTOR),
     _descriptor.FieldDescriptor(
-      name='metadata', full_name='istio.mcp.v1alpha1.Client.metadata', index=1,
-      number=2, type=11, cpp_type=10, label=1,
-      has_default_value=False, default_value=None,
+      name='value', full_name='istio.mcp.v1alpha1.SinkNode.AnnotationsEntry.value', index=1,
+      number=2, type=9, cpp_type=9, label=1,
+      has_default_value=False, default_value=_b("").decode('utf-8'),
       message_type=None, enum_type=None, containing_type=None,
       is_extension=False, extension_scope=None,
       options=None, file=DESCRIPTOR),
@@ -57,14 +56,51 @@
   nested_types=[],
   enum_types=[
   ],
+  options=_descriptor._ParseOptions(descriptor_pb2.MessageOptions(), _b('8\001')),
+  is_extendable=False,
+  syntax='proto3',
+  extension_ranges=[],
+  oneofs=[
+  ],
+  serialized_start=215,
+  serialized_end=265,
+)
+
+_SINKNODE = _descriptor.Descriptor(
+  name='SinkNode',
+  full_name='istio.mcp.v1alpha1.SinkNode',
+  filename=None,
+  file=DESCRIPTOR,
+  containing_type=None,
+  fields=[
+    _descriptor.FieldDescriptor(
+      name='id', full_name='istio.mcp.v1alpha1.SinkNode.id', index=0,
+      number=1, type=9, cpp_type=9, label=1,
+      has_default_value=False, default_value=_b("").decode('utf-8'),
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
+    _descriptor.FieldDescriptor(
+      name='annotations', full_name='istio.mcp.v1alpha1.SinkNode.annotations', index=1,
+      number=2, type=11, cpp_type=10, label=3,
+      has_default_value=False, default_value=[],
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
+  ],
+  extensions=[
+  ],
+  nested_types=[_SINKNODE_ANNOTATIONSENTRY, ],
+  enum_types=[
+  ],
   options=None,
   is_extendable=False,
   syntax='proto3',
   extension_ranges=[],
   oneofs=[
   ],
-  serialized_start=152,
-  serialized_end=215,
+  serialized_start=123,
+  serialized_end=265,
 )
 
 
@@ -83,7 +119,7 @@
       is_extension=False, extension_scope=None,
       options=None, file=DESCRIPTOR),
     _descriptor.FieldDescriptor(
-      name='client', full_name='istio.mcp.v1alpha1.MeshConfigRequest.client', index=1,
+      name='sink_node', full_name='istio.mcp.v1alpha1.MeshConfigRequest.sink_node', index=1,
       number=2, type=11, cpp_type=10, label=1,
       has_default_value=False, default_value=None,
       message_type=None, enum_type=None, containing_type=None,
@@ -122,8 +158,8 @@
   extension_ranges=[],
   oneofs=[
   ],
-  serialized_start=218,
-  serialized_end=387,
+  serialized_start=268,
+  serialized_end=442,
 )
 
 
@@ -142,7 +178,7 @@
       is_extension=False, extension_scope=None,
       options=None, file=DESCRIPTOR),
     _descriptor.FieldDescriptor(
-      name='envelopes', full_name='istio.mcp.v1alpha1.MeshConfigResponse.envelopes', index=1,
+      name='resources', full_name='istio.mcp.v1alpha1.MeshConfigResponse.resources', index=1,
       number=2, type=11, cpp_type=10, label=3,
       has_default_value=False, default_value=[],
       message_type=None, enum_type=None, containing_type=None,
@@ -174,8 +210,8 @@
   extension_ranges=[],
   oneofs=[
   ],
-  serialized_start=390,
-  serialized_end=520,
+  serialized_start=445,
+  serialized_end=575,
 )
 
 
@@ -212,8 +248,8 @@
   extension_ranges=[],
   oneofs=[
   ],
-  serialized_start=797,
-  serialized_end=859,
+  serialized_start=857,
+  serialized_end=919,
 )
 
 _INCREMENTALMESHCONFIGREQUEST = _descriptor.Descriptor(
@@ -224,7 +260,7 @@
   containing_type=None,
   fields=[
     _descriptor.FieldDescriptor(
-      name='client', full_name='istio.mcp.v1alpha1.IncrementalMeshConfigRequest.client', index=0,
+      name='sink_node', full_name='istio.mcp.v1alpha1.IncrementalMeshConfigRequest.sink_node', index=0,
       number=1, type=11, cpp_type=10, label=1,
       has_default_value=False, default_value=None,
       message_type=None, enum_type=None, containing_type=None,
@@ -270,8 +306,8 @@
   extension_ranges=[],
   oneofs=[
   ],
-  serialized_start=523,
-  serialized_end=859,
+  serialized_start=578,
+  serialized_end=919,
 )
 
 
@@ -290,7 +326,7 @@
       is_extension=False, extension_scope=None,
       options=None, file=DESCRIPTOR),
     _descriptor.FieldDescriptor(
-      name='envelopes', full_name='istio.mcp.v1alpha1.IncrementalMeshConfigResponse.envelopes', index=1,
+      name='resources', full_name='istio.mcp.v1alpha1.IncrementalMeshConfigResponse.resources', index=1,
       number=2, type=11, cpp_type=10, label=3,
       has_default_value=False, default_value=[],
       message_type=None, enum_type=None, containing_type=None,
@@ -322,32 +358,203 @@
   extension_ranges=[],
   oneofs=[
   ],
-  serialized_start=862,
-  serialized_end=1019,
+  serialized_start=922,
+  serialized_end=1079,
+)
+
+
+_REQUESTRESOURCES_INITIALRESOURCEVERSIONSENTRY = _descriptor.Descriptor(
+  name='InitialResourceVersionsEntry',
+  full_name='istio.mcp.v1alpha1.RequestResources.InitialResourceVersionsEntry',
+  filename=None,
+  file=DESCRIPTOR,
+  containing_type=None,
+  fields=[
+    _descriptor.FieldDescriptor(
+      name='key', full_name='istio.mcp.v1alpha1.RequestResources.InitialResourceVersionsEntry.key', index=0,
+      number=1, type=9, cpp_type=9, label=1,
+      has_default_value=False, default_value=_b("").decode('utf-8'),
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
+    _descriptor.FieldDescriptor(
+      name='value', full_name='istio.mcp.v1alpha1.RequestResources.InitialResourceVersionsEntry.value', index=1,
+      number=2, type=9, cpp_type=9, label=1,
+      has_default_value=False, default_value=_b("").decode('utf-8'),
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
+  ],
+  extensions=[
+  ],
+  nested_types=[],
+  enum_types=[
+  ],
+  options=_descriptor._ParseOptions(descriptor_pb2.MessageOptions(), _b('8\001')),
+  is_extendable=False,
+  syntax='proto3',
+  extension_ranges=[],
+  oneofs=[
+  ],
+  serialized_start=857,
+  serialized_end=919,
+)
+
+_REQUESTRESOURCES = _descriptor.Descriptor(
+  name='RequestResources',
+  full_name='istio.mcp.v1alpha1.RequestResources',
+  filename=None,
+  file=DESCRIPTOR,
+  containing_type=None,
+  fields=[
+    _descriptor.FieldDescriptor(
+      name='sink_node', full_name='istio.mcp.v1alpha1.RequestResources.sink_node', index=0,
+      number=1, type=11, cpp_type=10, label=1,
+      has_default_value=False, default_value=None,
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
+    _descriptor.FieldDescriptor(
+      name='collection', full_name='istio.mcp.v1alpha1.RequestResources.collection', index=1,
+      number=2, type=9, cpp_type=9, label=1,
+      has_default_value=False, default_value=_b("").decode('utf-8'),
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
+    _descriptor.FieldDescriptor(
+      name='initial_resource_versions', full_name='istio.mcp.v1alpha1.RequestResources.initial_resource_versions', index=2,
+      number=3, type=11, cpp_type=10, label=3,
+      has_default_value=False, default_value=[],
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
+    _descriptor.FieldDescriptor(
+      name='response_nonce', full_name='istio.mcp.v1alpha1.RequestResources.response_nonce', index=3,
+      number=4, type=9, cpp_type=9, label=1,
+      has_default_value=False, default_value=_b("").decode('utf-8'),
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
+    _descriptor.FieldDescriptor(
+      name='error_detail', full_name='istio.mcp.v1alpha1.RequestResources.error_detail', index=4,
+      number=5, type=11, cpp_type=10, label=1,
+      has_default_value=False, default_value=None,
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
+  ],
+  extensions=[
+  ],
+  nested_types=[_REQUESTRESOURCES_INITIALRESOURCEVERSIONSENTRY, ],
+  enum_types=[
+  ],
+  options=None,
+  is_extendable=False,
+  syntax='proto3',
+  extension_ranges=[],
+  oneofs=[
+  ],
+  serialized_start=1082,
+  serialized_end=1401,
+)
+
+
+_RESOURCES = _descriptor.Descriptor(
+  name='Resources',
+  full_name='istio.mcp.v1alpha1.Resources',
+  filename=None,
+  file=DESCRIPTOR,
+  containing_type=None,
+  fields=[
+    _descriptor.FieldDescriptor(
+      name='system_version_info', full_name='istio.mcp.v1alpha1.Resources.system_version_info', index=0,
+      number=1, type=9, cpp_type=9, label=1,
+      has_default_value=False, default_value=_b("").decode('utf-8'),
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
+    _descriptor.FieldDescriptor(
+      name='collection', full_name='istio.mcp.v1alpha1.Resources.collection', index=1,
+      number=2, type=9, cpp_type=9, label=1,
+      has_default_value=False, default_value=_b("").decode('utf-8'),
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
+    _descriptor.FieldDescriptor(
+      name='resources', full_name='istio.mcp.v1alpha1.Resources.resources', index=2,
+      number=3, type=11, cpp_type=10, label=3,
+      has_default_value=False, default_value=[],
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=_descriptor._ParseOptions(descriptor_pb2.FieldOptions(), _b('\310\336\037\000')), file=DESCRIPTOR),
+    _descriptor.FieldDescriptor(
+      name='removed_resources', full_name='istio.mcp.v1alpha1.Resources.removed_resources', index=3,
+      number=4, type=9, cpp_type=9, label=3,
+      has_default_value=False, default_value=[],
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
+    _descriptor.FieldDescriptor(
+      name='nonce', full_name='istio.mcp.v1alpha1.Resources.nonce', index=4,
+      number=5, type=9, cpp_type=9, label=1,
+      has_default_value=False, default_value=_b("").decode('utf-8'),
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
+  ],
+  extensions=[
+  ],
+  nested_types=[],
+  enum_types=[
+  ],
+  options=None,
+  is_extendable=False,
+  syntax='proto3',
+  extension_ranges=[],
+  oneofs=[
+  ],
+  serialized_start=1404,
+  serialized_end=1561,
 )
 
-_CLIENT.fields_by_name['metadata'].message_type = google_dot_protobuf_dot_struct__pb2._STRUCT
-_MESHCONFIGREQUEST.fields_by_name['client'].message_type = _CLIENT
+_SINKNODE_ANNOTATIONSENTRY.containing_type = _SINKNODE
+_SINKNODE.fields_by_name['annotations'].message_type = _SINKNODE_ANNOTATIONSENTRY
+_MESHCONFIGREQUEST.fields_by_name['sink_node'].message_type = _SINKNODE
 _MESHCONFIGREQUEST.fields_by_name['error_detail'].message_type = google_dot_rpc_dot_status__pb2._STATUS
-_MESHCONFIGRESPONSE.fields_by_name['envelopes'].message_type = mcp_dot_v1alpha1_dot_envelope__pb2._ENVELOPE
+_MESHCONFIGRESPONSE.fields_by_name['resources'].message_type = mcp_dot_v1alpha1_dot_resource__pb2._RESOURCE
 _INCREMENTALMESHCONFIGREQUEST_INITIALRESOURCEVERSIONSENTRY.containing_type = _INCREMENTALMESHCONFIGREQUEST
-_INCREMENTALMESHCONFIGREQUEST.fields_by_name['client'].message_type = _CLIENT
+_INCREMENTALMESHCONFIGREQUEST.fields_by_name['sink_node'].message_type = _SINKNODE
 _INCREMENTALMESHCONFIGREQUEST.fields_by_name['initial_resource_versions'].message_type = _INCREMENTALMESHCONFIGREQUEST_INITIALRESOURCEVERSIONSENTRY
 _INCREMENTALMESHCONFIGREQUEST.fields_by_name['error_detail'].message_type = google_dot_rpc_dot_status__pb2._STATUS
-_INCREMENTALMESHCONFIGRESPONSE.fields_by_name['envelopes'].message_type = mcp_dot_v1alpha1_dot_envelope__pb2._ENVELOPE
-DESCRIPTOR.message_types_by_name['Client'] = _CLIENT
+_INCREMENTALMESHCONFIGRESPONSE.fields_by_name['resources'].message_type = mcp_dot_v1alpha1_dot_resource__pb2._RESOURCE
+_REQUESTRESOURCES_INITIALRESOURCEVERSIONSENTRY.containing_type = _REQUESTRESOURCES
+_REQUESTRESOURCES.fields_by_name['sink_node'].message_type = _SINKNODE
+_REQUESTRESOURCES.fields_by_name['initial_resource_versions'].message_type = _REQUESTRESOURCES_INITIALRESOURCEVERSIONSENTRY
+_REQUESTRESOURCES.fields_by_name['error_detail'].message_type = google_dot_rpc_dot_status__pb2._STATUS
+_RESOURCES.fields_by_name['resources'].message_type = mcp_dot_v1alpha1_dot_resource__pb2._RESOURCE
+DESCRIPTOR.message_types_by_name['SinkNode'] = _SINKNODE
 DESCRIPTOR.message_types_by_name['MeshConfigRequest'] = _MESHCONFIGREQUEST
 DESCRIPTOR.message_types_by_name['MeshConfigResponse'] = _MESHCONFIGRESPONSE
 DESCRIPTOR.message_types_by_name['IncrementalMeshConfigRequest'] = _INCREMENTALMESHCONFIGREQUEST
 DESCRIPTOR.message_types_by_name['IncrementalMeshConfigResponse'] = _INCREMENTALMESHCONFIGRESPONSE
+DESCRIPTOR.message_types_by_name['RequestResources'] = _REQUESTRESOURCES
+DESCRIPTOR.message_types_by_name['Resources'] = _RESOURCES
 _sym_db.RegisterFileDescriptor(DESCRIPTOR)
 
-Client = _reflection.GeneratedProtocolMessageType('Client', (_message.Message,), dict(
-  DESCRIPTOR = _CLIENT,
+SinkNode = _reflection.GeneratedProtocolMessageType('SinkNode', (_message.Message,), dict(
+
+  AnnotationsEntry = _reflection.GeneratedProtocolMessageType('AnnotationsEntry', (_message.Message,), dict(
+    DESCRIPTOR = _SINKNODE_ANNOTATIONSENTRY,
+    __module__ = 'mcp.v1alpha1.mcp_pb2'
+    # @@protoc_insertion_point(class_scope:istio.mcp.v1alpha1.SinkNode.AnnotationsEntry)
+    ))
+  ,
+  DESCRIPTOR = _SINKNODE,
   __module__ = 'mcp.v1alpha1.mcp_pb2'
-  # @@protoc_insertion_point(class_scope:istio.mcp.v1alpha1.Client)
+  # @@protoc_insertion_point(class_scope:istio.mcp.v1alpha1.SinkNode)
   ))
-_sym_db.RegisterMessage(Client)
+_sym_db.RegisterMessage(SinkNode)
+_sym_db.RegisterMessage(SinkNode.AnnotationsEntry)
 
 MeshConfigRequest = _reflection.GeneratedProtocolMessageType('MeshConfigRequest', (_message.Message,), dict(
   DESCRIPTOR = _MESHCONFIGREQUEST,
@@ -385,15 +592,43 @@
   ))
 _sym_db.RegisterMessage(IncrementalMeshConfigResponse)
 
+RequestResources = _reflection.GeneratedProtocolMessageType('RequestResources', (_message.Message,), dict(
+
+  InitialResourceVersionsEntry = _reflection.GeneratedProtocolMessageType('InitialResourceVersionsEntry', (_message.Message,), dict(
+    DESCRIPTOR = _REQUESTRESOURCES_INITIALRESOURCEVERSIONSENTRY,
+    __module__ = 'mcp.v1alpha1.mcp_pb2'
+    # @@protoc_insertion_point(class_scope:istio.mcp.v1alpha1.RequestResources.InitialResourceVersionsEntry)
+    ))
+  ,
+  DESCRIPTOR = _REQUESTRESOURCES,
+  __module__ = 'mcp.v1alpha1.mcp_pb2'
+  # @@protoc_insertion_point(class_scope:istio.mcp.v1alpha1.RequestResources)
+  ))
+_sym_db.RegisterMessage(RequestResources)
+_sym_db.RegisterMessage(RequestResources.InitialResourceVersionsEntry)
+
+Resources = _reflection.GeneratedProtocolMessageType('Resources', (_message.Message,), dict(
+  DESCRIPTOR = _RESOURCES,
+  __module__ = 'mcp.v1alpha1.mcp_pb2'
+  # @@protoc_insertion_point(class_scope:istio.mcp.v1alpha1.Resources)
+  ))
+_sym_db.RegisterMessage(Resources)
+
 
 DESCRIPTOR.has_options = True
 DESCRIPTOR._options = _descriptor._ParseOptions(descriptor_pb2.FileOptions(), _b('Z\031istio.io/api/mcp/v1alpha1\250\342\036\001'))
-_MESHCONFIGRESPONSE.fields_by_name['envelopes'].has_options = True
-_MESHCONFIGRESPONSE.fields_by_name['envelopes']._options = _descriptor._ParseOptions(descriptor_pb2.FieldOptions(), _b('\310\336\037\000'))
+_SINKNODE_ANNOTATIONSENTRY.has_options = True
+_SINKNODE_ANNOTATIONSENTRY._options = _descriptor._ParseOptions(descriptor_pb2.MessageOptions(), _b('8\001'))
+_MESHCONFIGRESPONSE.fields_by_name['resources'].has_options = True
+_MESHCONFIGRESPONSE.fields_by_name['resources']._options = _descriptor._ParseOptions(descriptor_pb2.FieldOptions(), _b('\310\336\037\000'))
 _INCREMENTALMESHCONFIGREQUEST_INITIALRESOURCEVERSIONSENTRY.has_options = True
 _INCREMENTALMESHCONFIGREQUEST_INITIALRESOURCEVERSIONSENTRY._options = _descriptor._ParseOptions(descriptor_pb2.MessageOptions(), _b('8\001'))
-_INCREMENTALMESHCONFIGRESPONSE.fields_by_name['envelopes'].has_options = True
-_INCREMENTALMESHCONFIGRESPONSE.fields_by_name['envelopes']._options = _descriptor._ParseOptions(descriptor_pb2.FieldOptions(), _b('\310\336\037\000'))
+_INCREMENTALMESHCONFIGRESPONSE.fields_by_name['resources'].has_options = True
+_INCREMENTALMESHCONFIGRESPONSE.fields_by_name['resources']._options = _descriptor._ParseOptions(descriptor_pb2.FieldOptions(), _b('\310\336\037\000'))
+_REQUESTRESOURCES_INITIALRESOURCEVERSIONSENTRY.has_options = True
+_REQUESTRESOURCES_INITIALRESOURCEVERSIONSENTRY._options = _descriptor._ParseOptions(descriptor_pb2.MessageOptions(), _b('8\001'))
+_RESOURCES.fields_by_name['resources'].has_options = True
+_RESOURCES.fields_by_name['resources']._options = _descriptor._ParseOptions(descriptor_pb2.FieldOptions(), _b('\310\336\037\000'))
 
 _AGGREGATEDMESHCONFIGSERVICE = _descriptor.ServiceDescriptor(
   name='AggregatedMeshConfigService',
@@ -401,8 +636,8 @@
   file=DESCRIPTOR,
   index=0,
   options=None,
-  serialized_start=1022,
-  serialized_end=1307,
+  serialized_start=1564,
+  serialized_end=1849,
   methods=[
   _descriptor.MethodDescriptor(
     name='StreamAggregatedResources',
@@ -427,4 +662,52 @@
 
 DESCRIPTOR.services_by_name['AggregatedMeshConfigService'] = _AGGREGATEDMESHCONFIGSERVICE
 
+
+_RESOURCESOURCE = _descriptor.ServiceDescriptor(
+  name='ResourceSource',
+  full_name='istio.mcp.v1alpha1.ResourceSource',
+  file=DESCRIPTOR,
+  index=1,
+  options=None,
+  serialized_start=1851,
+  serialized_end=1969,
+  methods=[
+  _descriptor.MethodDescriptor(
+    name='EstablishResourceStream',
+    full_name='istio.mcp.v1alpha1.ResourceSource.EstablishResourceStream',
+    index=0,
+    containing_service=None,
+    input_type=_REQUESTRESOURCES,
+    output_type=_RESOURCES,
+    options=None,
+  ),
+])
+_sym_db.RegisterServiceDescriptor(_RESOURCESOURCE)
+
+DESCRIPTOR.services_by_name['ResourceSource'] = _RESOURCESOURCE
+
+
+_RESOURCESINK = _descriptor.ServiceDescriptor(
+  name='ResourceSink',
+  full_name='istio.mcp.v1alpha1.ResourceSink',
+  file=DESCRIPTOR,
+  index=2,
+  options=None,
+  serialized_start=1971,
+  serialized_end=2087,
+  methods=[
+  _descriptor.MethodDescriptor(
+    name='EstablishResourceStream',
+    full_name='istio.mcp.v1alpha1.ResourceSink.EstablishResourceStream',
+    index=0,
+    containing_service=None,
+    input_type=_RESOURCES,
+    output_type=_REQUESTRESOURCES,
+    options=None,
+  ),
+])
+_sym_db.RegisterServiceDescriptor(_RESOURCESINK)
+
+DESCRIPTOR.services_by_name['ResourceSink'] = _RESOURCESINK
+
 # @@protoc_insertion_point(module_scope)
diff --git a/python/istio_api/mcp/v1alpha1/metadata_pb2.py b/python/istio_api/mcp/v1alpha1/metadata_pb2.py
index 0ed149b579..3be0202f3c 100644
--- a/python/istio_api/mcp/v1alpha1/metadata_pb2.py
+++ b/python/istio_api/mcp/v1alpha1/metadata_pb2.py
@@ -15,19 +15,94 @@
 
 from gogoproto import gogo_pb2 as gogoproto_dot_gogo__pb2
 from google.protobuf import timestamp_pb2 as google_dot_protobuf_dot_timestamp__pb2
+from google.protobuf import struct_pb2 as google_dot_protobuf_dot_struct__pb2
 
 
 DESCRIPTOR = _descriptor.FileDescriptor(
   name='mcp/v1alpha1/metadata.proto',
   package='istio.mcp.v1alpha1',
   syntax='proto3',
-  serialized_pb=_b('\n\x1bmcp/v1alpha1/metadata.proto\x12\x12istio.mcp.v1alpha1\x1a\x14gogoproto/gogo.proto\x1a\x1fgoogle/protobuf/timestamp.proto\"Z\n\x08Metadata\x12\x0c\n\x04name\x18\x01 \x01(\t\x12/\n\x0b\x63reate_time\x18\x02 \x01(\x0b\x32\x1a.google.protobuf.Timestamp\x12\x0f\n\x07version\x18\x03 \x01(\tB\x1fZ\x19istio.io/api/mcp/v1alpha1\xa8\xe2\x1e\x01\x62\x06proto3')
+  serialized_pb=_b('\n\x1bmcp/v1alpha1/metadata.proto\x12\x12istio.mcp.v1alpha1\x1a\x14gogoproto/gogo.proto\x1a\x1fgoogle/protobuf/timestamp.proto\x1a\x1cgoogle/protobuf/struct.proto\"\xbb\x02\n\x08Metadata\x12\x0c\n\x04name\x18\x01 \x01(\t\x12/\n\x0b\x63reate_time\x18\x02 \x01(\x0b\x32\x1a.google.protobuf.Timestamp\x12\x0f\n\x07version\x18\x03 \x01(\t\x12\x38\n\x06labels\x18\x04 \x03(\x0b\x32(.istio.mcp.v1alpha1.Metadata.LabelsEntry\x12\x42\n\x0b\x61nnotations\x18\x05 \x03(\x0b\x32-.istio.mcp.v1alpha1.Metadata.AnnotationsEntry\x1a-\n\x0bLabelsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\x1a\x32\n\x10\x41nnotationsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\x42\x1fZ\x19istio.io/api/mcp/v1alpha1\xa8\xe2\x1e\x01\x62\x06proto3')
   ,
-  dependencies=[gogoproto_dot_gogo__pb2.DESCRIPTOR,google_dot_protobuf_dot_timestamp__pb2.DESCRIPTOR,])
+  dependencies=[gogoproto_dot_gogo__pb2.DESCRIPTOR,google_dot_protobuf_dot_timestamp__pb2.DESCRIPTOR,google_dot_protobuf_dot_struct__pb2.DESCRIPTOR,])
 
 
 
 
+_METADATA_LABELSENTRY = _descriptor.Descriptor(
+  name='LabelsEntry',
+  full_name='istio.mcp.v1alpha1.Metadata.LabelsEntry',
+  filename=None,
+  file=DESCRIPTOR,
+  containing_type=None,
+  fields=[
+    _descriptor.FieldDescriptor(
+      name='key', full_name='istio.mcp.v1alpha1.Metadata.LabelsEntry.key', index=0,
+      number=1, type=9, cpp_type=9, label=1,
+      has_default_value=False, default_value=_b("").decode('utf-8'),
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
+    _descriptor.FieldDescriptor(
+      name='value', full_name='istio.mcp.v1alpha1.Metadata.LabelsEntry.value', index=1,
+      number=2, type=9, cpp_type=9, label=1,
+      has_default_value=False, default_value=_b("").decode('utf-8'),
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
+  ],
+  extensions=[
+  ],
+  nested_types=[],
+  enum_types=[
+  ],
+  options=_descriptor._ParseOptions(descriptor_pb2.MessageOptions(), _b('8\001')),
+  is_extendable=False,
+  syntax='proto3',
+  extension_ranges=[],
+  oneofs=[
+  ],
+  serialized_start=355,
+  serialized_end=400,
+)
+
+_METADATA_ANNOTATIONSENTRY = _descriptor.Descriptor(
+  name='AnnotationsEntry',
+  full_name='istio.mcp.v1alpha1.Metadata.AnnotationsEntry',
+  filename=None,
+  file=DESCRIPTOR,
+  containing_type=None,
+  fields=[
+    _descriptor.FieldDescriptor(
+      name='key', full_name='istio.mcp.v1alpha1.Metadata.AnnotationsEntry.key', index=0,
+      number=1, type=9, cpp_type=9, label=1,
+      has_default_value=False, default_value=_b("").decode('utf-8'),
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
+    _descriptor.FieldDescriptor(
+      name='value', full_name='istio.mcp.v1alpha1.Metadata.AnnotationsEntry.value', index=1,
+      number=2, type=9, cpp_type=9, label=1,
+      has_default_value=False, default_value=_b("").decode('utf-8'),
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
+  ],
+  extensions=[
+  ],
+  nested_types=[],
+  enum_types=[
+  ],
+  options=_descriptor._ParseOptions(descriptor_pb2.MessageOptions(), _b('8\001')),
+  is_extendable=False,
+  syntax='proto3',
+  extension_ranges=[],
+  oneofs=[
+  ],
+  serialized_start=402,
+  serialized_end=452,
+)
+
 _METADATA = _descriptor.Descriptor(
   name='Metadata',
   full_name='istio.mcp.v1alpha1.Metadata',
@@ -56,10 +131,24 @@
       message_type=None, enum_type=None, containing_type=None,
       is_extension=False, extension_scope=None,
       options=None, file=DESCRIPTOR),
+    _descriptor.FieldDescriptor(
+      name='labels', full_name='istio.mcp.v1alpha1.Metadata.labels', index=3,
+      number=4, type=11, cpp_type=10, label=3,
+      has_default_value=False, default_value=[],
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
+    _descriptor.FieldDescriptor(
+      name='annotations', full_name='istio.mcp.v1alpha1.Metadata.annotations', index=4,
+      number=5, type=11, cpp_type=10, label=3,
+      has_default_value=False, default_value=[],
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
   ],
   extensions=[
   ],
-  nested_types=[],
+  nested_types=[_METADATA_LABELSENTRY, _METADATA_ANNOTATIONSENTRY, ],
   enum_types=[
   ],
   options=None,
@@ -68,22 +157,46 @@
   extension_ranges=[],
   oneofs=[
   ],
-  serialized_start=106,
-  serialized_end=196,
+  serialized_start=137,
+  serialized_end=452,
 )
 
+_METADATA_LABELSENTRY.containing_type = _METADATA
+_METADATA_ANNOTATIONSENTRY.containing_type = _METADATA
 _METADATA.fields_by_name['create_time'].message_type = google_dot_protobuf_dot_timestamp__pb2._TIMESTAMP
+_METADATA.fields_by_name['labels'].message_type = _METADATA_LABELSENTRY
+_METADATA.fields_by_name['annotations'].message_type = _METADATA_ANNOTATIONSENTRY
 DESCRIPTOR.message_types_by_name['Metadata'] = _METADATA
 _sym_db.RegisterFileDescriptor(DESCRIPTOR)
 
 Metadata = _reflection.GeneratedProtocolMessageType('Metadata', (_message.Message,), dict(
+
+  LabelsEntry = _reflection.GeneratedProtocolMessageType('LabelsEntry', (_message.Message,), dict(
+    DESCRIPTOR = _METADATA_LABELSENTRY,
+    __module__ = 'mcp.v1alpha1.metadata_pb2'
+    # @@protoc_insertion_point(class_scope:istio.mcp.v1alpha1.Metadata.LabelsEntry)
+    ))
+  ,
+
+  AnnotationsEntry = _reflection.GeneratedProtocolMessageType('AnnotationsEntry', (_message.Message,), dict(
+    DESCRIPTOR = _METADATA_ANNOTATIONSENTRY,
+    __module__ = 'mcp.v1alpha1.metadata_pb2'
+    # @@protoc_insertion_point(class_scope:istio.mcp.v1alpha1.Metadata.AnnotationsEntry)
+    ))
+  ,
   DESCRIPTOR = _METADATA,
   __module__ = 'mcp.v1alpha1.metadata_pb2'
   # @@protoc_insertion_point(class_scope:istio.mcp.v1alpha1.Metadata)
   ))
 _sym_db.RegisterMessage(Metadata)
+_sym_db.RegisterMessage(Metadata.LabelsEntry)
+_sym_db.RegisterMessage(Metadata.AnnotationsEntry)
 
 
 DESCRIPTOR.has_options = True
 DESCRIPTOR._options = _descriptor._ParseOptions(descriptor_pb2.FileOptions(), _b('Z\031istio.io/api/mcp/v1alpha1\250\342\036\001'))
+_METADATA_LABELSENTRY.has_options = True
+_METADATA_LABELSENTRY._options = _descriptor._ParseOptions(descriptor_pb2.MessageOptions(), _b('8\001'))
+_METADATA_ANNOTATIONSENTRY.has_options = True
+_METADATA_ANNOTATIONSENTRY._options = _descriptor._ParseOptions(descriptor_pb2.MessageOptions(), _b('8\001'))
 # @@protoc_insertion_point(module_scope)
diff --git a/python/istio_api/mcp/v1alpha1/envelope_pb2.py b/python/istio_api/mcp/v1alpha1/resource_pb2.py
similarity index 65%
rename from python/istio_api/mcp/v1alpha1/envelope_pb2.py
rename to python/istio_api/mcp/v1alpha1/resource_pb2.py
index 7357c432b9..ce5615342d 100644
--- a/python/istio_api/mcp/v1alpha1/envelope_pb2.py
+++ b/python/istio_api/mcp/v1alpha1/resource_pb2.py
@@ -1,5 +1,5 @@
 # Generated by the protocol buffer compiler.  DO NOT EDIT!
-# source: mcp/v1alpha1/envelope.proto
+# source: mcp/v1alpha1/resource.proto
 
 import sys
 _b=sys.version_info[0]<3 and (lambda x:x) or (lambda x:x.encode('latin1'))
@@ -19,32 +19,32 @@
 
 
 DESCRIPTOR = _descriptor.FileDescriptor(
-  name='mcp/v1alpha1/envelope.proto',
+  name='mcp/v1alpha1/resource.proto',
   package='istio.mcp.v1alpha1',
   syntax='proto3',
-  serialized_pb=_b('\n\x1bmcp/v1alpha1/envelope.proto\x12\x12istio.mcp.v1alpha1\x1a\x19google/protobuf/any.proto\x1a\x14gogoproto/gogo.proto\x1a\x1bmcp/v1alpha1/metadata.proto\"b\n\x08\x45nvelope\x12.\n\x08metadata\x18\x01 \x01(\x0b\x32\x1c.istio.mcp.v1alpha1.Metadata\x12&\n\x08resource\x18\x02 \x01(\x0b\x32\x14.google.protobuf.AnyB\x1fZ\x19istio.io/api/mcp/v1alpha1\xa8\xe2\x1e\x01\x62\x06proto3')
+  serialized_pb=_b('\n\x1bmcp/v1alpha1/resource.proto\x12\x12istio.mcp.v1alpha1\x1a\x19google/protobuf/any.proto\x1a\x14gogoproto/gogo.proto\x1a\x1bmcp/v1alpha1/metadata.proto\"^\n\x08Resource\x12.\n\x08metadata\x18\x01 \x01(\x0b\x32\x1c.istio.mcp.v1alpha1.Metadata\x12\"\n\x04\x62ody\x18\x02 \x01(\x0b\x32\x14.google.protobuf.AnyB\x1fZ\x19istio.io/api/mcp/v1alpha1\xa8\xe2\x1e\x01\x62\x06proto3')
   ,
   dependencies=[google_dot_protobuf_dot_any__pb2.DESCRIPTOR,gogoproto_dot_gogo__pb2.DESCRIPTOR,mcp_dot_v1alpha1_dot_metadata__pb2.DESCRIPTOR,])
 
 
 
 
-_ENVELOPE = _descriptor.Descriptor(
-  name='Envelope',
-  full_name='istio.mcp.v1alpha1.Envelope',
+_RESOURCE = _descriptor.Descriptor(
+  name='Resource',
+  full_name='istio.mcp.v1alpha1.Resource',
   filename=None,
   file=DESCRIPTOR,
   containing_type=None,
   fields=[
     _descriptor.FieldDescriptor(
-      name='metadata', full_name='istio.mcp.v1alpha1.Envelope.metadata', index=0,
+      name='metadata', full_name='istio.mcp.v1alpha1.Resource.metadata', index=0,
       number=1, type=11, cpp_type=10, label=1,
       has_default_value=False, default_value=None,
       message_type=None, enum_type=None, containing_type=None,
       is_extension=False, extension_scope=None,
       options=None, file=DESCRIPTOR),
     _descriptor.FieldDescriptor(
-      name='resource', full_name='istio.mcp.v1alpha1.Envelope.resource', index=1,
+      name='body', full_name='istio.mcp.v1alpha1.Resource.body', index=1,
       number=2, type=11, cpp_type=10, label=1,
       has_default_value=False, default_value=None,
       message_type=None, enum_type=None, containing_type=None,
@@ -63,20 +63,20 @@
   oneofs=[
   ],
   serialized_start=129,
-  serialized_end=227,
+  serialized_end=223,
 )
 
-_ENVELOPE.fields_by_name['metadata'].message_type = mcp_dot_v1alpha1_dot_metadata__pb2._METADATA
-_ENVELOPE.fields_by_name['resource'].message_type = google_dot_protobuf_dot_any__pb2._ANY
-DESCRIPTOR.message_types_by_name['Envelope'] = _ENVELOPE
+_RESOURCE.fields_by_name['metadata'].message_type = mcp_dot_v1alpha1_dot_metadata__pb2._METADATA
+_RESOURCE.fields_by_name['body'].message_type = google_dot_protobuf_dot_any__pb2._ANY
+DESCRIPTOR.message_types_by_name['Resource'] = _RESOURCE
 _sym_db.RegisterFileDescriptor(DESCRIPTOR)
 
-Envelope = _reflection.GeneratedProtocolMessageType('Envelope', (_message.Message,), dict(
-  DESCRIPTOR = _ENVELOPE,
-  __module__ = 'mcp.v1alpha1.envelope_pb2'
-  # @@protoc_insertion_point(class_scope:istio.mcp.v1alpha1.Envelope)
+Resource = _reflection.GeneratedProtocolMessageType('Resource', (_message.Message,), dict(
+  DESCRIPTOR = _RESOURCE,
+  __module__ = 'mcp.v1alpha1.resource_pb2'
+  # @@protoc_insertion_point(class_scope:istio.mcp.v1alpha1.Resource)
   ))
-_sym_db.RegisterMessage(Envelope)
+_sym_db.RegisterMessage(Resource)
 
 
 DESCRIPTOR.has_options = True

From f818794c44b7f7aae6794382eaf2fcb6b9499f70 Mon Sep 17 00:00:00 2001
From: Kuat <kyessenov@users.noreply.github.com>
Date: Thu, 10 Jan 2019 11:28:46 -0800
Subject: [PATCH 3/4] add optional header operations (#753)

Signed-off-by: Kuat Yessenov <kuat@google.com>
---
 policy/v1beta1/cfg.pb.go                    | 5 +++++
 policy/v1beta1/cfg.proto                    | 5 +++++
 policy/v1beta1/istio.policy.v1beta1.pb.html | 4 ++++
 3 files changed, 14 insertions(+)

diff --git a/policy/v1beta1/cfg.pb.go b/policy/v1beta1/cfg.pb.go
index bc942cc41f..c20dc5f660 100644
--- a/policy/v1beta1/cfg.pb.go
+++ b/policy/v1beta1/cfg.pb.go
@@ -346,12 +346,17 @@ func (m *Rule) GetSampling() *Sampling {
 // that may reference action outputs by name. For example, if an action `x` produces an output
 // with a field `f`, then the header value expressions may use attribute `x.output.f` to reference
 // the field value:
+//
 // ```yaml
 // request_header_operations:
 // - name: x-istio-header
 //   values:
 //   - x.output.f
 // ```
+//
+// If the header value expression evaluates to an empty string, and the operation is to either replace
+// or append a header, then the operation is not applied. This permits conditional behavior on behalf of the
+// adapter to optionally modify the headers.
 type Rule_HeaderOperationTemplate struct {
 	// Required. Header name literal value.
 	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
diff --git a/policy/v1beta1/cfg.proto b/policy/v1beta1/cfg.proto
index 795b3be2a1..aba4752692 100644
--- a/policy/v1beta1/cfg.proto
+++ b/policy/v1beta1/cfg.proto
@@ -131,12 +131,17 @@ message Rule {
   // that may reference action outputs by name. For example, if an action `x` produces an output
   // with a field `f`, then the header value expressions may use attribute `x.output.f` to reference
   // the field value:
+  //
   // ```yaml
   // request_header_operations:
   // - name: x-istio-header
   //   values:
   //   - x.output.f
   // ```
+  //
+  // If the header value expression evaluates to an empty string, and the operation is to either replace
+  // or append a header, then the operation is not applied. This permits conditional behavior on behalf of the
+  // adapter to optionally modify the headers.
   message HeaderOperationTemplate {
 
     // Required. Header name literal value.
diff --git a/policy/v1beta1/istio.policy.v1beta1.pb.html b/policy/v1beta1/istio.policy.v1beta1.pb.html
index 0ca8ab344c..39c716a87e 100644
--- a/policy/v1beta1/istio.policy.v1beta1.pb.html
+++ b/policy/v1beta1/istio.policy.v1beta1.pb.html
@@ -809,6 +809,10 @@ <h2 id="Rule-HeaderOperationTemplate">Rule.HeaderOperationTemplate</h2>
   - x.output.f
 </code></pre>
 
+<p>If the header value expression evaluates to an empty string, and the operation is to either replace
+or append a header, then the operation is not applied. This permits conditional behavior on behalf of the
+adapter to optionally modify the headers.</p>
+
 <table class="message-fields">
 <thead>
 <tr>

From 48ad3546604d1a67f538e2a5bb31f3ca0cb5cac9 Mon Sep 17 00:00:00 2001
From: Yangmin Zhu <ymzhu@google.com>
Date: Fri, 11 Jan 2019 10:24:15 -0800
Subject: [PATCH 4/4] Update RBAC for Authorization v2 API. (#748)

Signed-off-by: Yangmin Zhu <ymzhu@google.com>
---
 proto.lock                                |  119 ++
 rbac/v1alpha1/istio.rbac.v1alpha1.pb.html |   36 +-
 rbac/v1alpha1/rbac.pb.go                  | 1780 +++++++++++++++++++--
 rbac/v1alpha1/rbac.proto                  |  148 +-
 4 files changed, 1873 insertions(+), 210 deletions(-)

diff --git a/proto.lock b/proto.lock
index 537573d06c..36b370e7cd 100644
--- a/proto.lock
+++ b/proto.lock
@@ -4831,6 +4831,35 @@
           }
         ],
         "messages": [
+          {
+            "name": "WorkloadSelector",
+            "maps": [
+              {
+                "key_type": "string",
+                "field": {
+                  "id": 1,
+                  "name": "labels",
+                  "type": "string"
+                }
+              }
+            ]
+          },
+          {
+            "name": "AuthorizationPolicy",
+            "fields": [
+              {
+                "id": 1,
+                "name": "workload_selector",
+                "type": "WorkloadSelector"
+              },
+              {
+                "id": 2,
+                "name": "allow",
+                "type": "ServiceRoleBinding",
+                "is_repeated": true
+              }
+            ]
+          },
           {
             "name": "ServiceRole",
             "fields": [
@@ -4851,18 +4880,54 @@
                 "type": "string",
                 "is_repeated": true
               },
+              {
+                "id": 5,
+                "name": "hosts",
+                "type": "string",
+                "is_repeated": true
+              },
+              {
+                "id": 6,
+                "name": "not_hosts",
+                "type": "string",
+                "is_repeated": true
+              },
               {
                 "id": 2,
                 "name": "paths",
                 "type": "string",
                 "is_repeated": true
               },
+              {
+                "id": 7,
+                "name": "not_paths",
+                "type": "string",
+                "is_repeated": true
+              },
               {
                 "id": 3,
                 "name": "methods",
                 "type": "string",
                 "is_repeated": true
               },
+              {
+                "id": 8,
+                "name": "not_methods",
+                "type": "string",
+                "is_repeated": true
+              },
+              {
+                "id": 9,
+                "name": "ports",
+                "type": "int32",
+                "is_repeated": true
+              },
+              {
+                "id": 10,
+                "name": "not_ports",
+                "type": "int32",
+                "is_repeated": true
+              },
               {
                 "id": 4,
                 "name": "constraints",
@@ -4918,10 +4983,58 @@
                 "name": "user",
                 "type": "string"
               },
+              {
+                "id": 4,
+                "name": "principals",
+                "type": "string",
+                "is_repeated": true
+              },
+              {
+                "id": 5,
+                "name": "not_principals",
+                "type": "string",
+                "is_repeated": true
+              },
               {
                 "id": 2,
                 "name": "group",
                 "type": "string"
+              },
+              {
+                "id": 6,
+                "name": "groups",
+                "type": "string",
+                "is_repeated": true
+              },
+              {
+                "id": 7,
+                "name": "not_groups",
+                "type": "string",
+                "is_repeated": true
+              },
+              {
+                "id": 8,
+                "name": "namespaces",
+                "type": "string",
+                "is_repeated": true
+              },
+              {
+                "id": 9,
+                "name": "not_namespaces",
+                "type": "string",
+                "is_repeated": true
+              },
+              {
+                "id": 10,
+                "name": "ips",
+                "type": "string",
+                "is_repeated": true
+              },
+              {
+                "id": 11,
+                "name": "not_ips",
+                "type": "string",
+                "is_repeated": true
               }
             ],
             "maps": [
@@ -4984,6 +5097,12 @@
                     "type": "string",
                     "is_repeated": true
                   },
+                  {
+                    "id": 3,
+                    "name": "workload_selectors",
+                    "type": "WorkloadSelector",
+                    "is_repeated": true
+                  },
                   {
                     "id": 2,
                     "name": "namespaces",
diff --git a/rbac/v1alpha1/istio.rbac.v1alpha1.pb.html b/rbac/v1alpha1/istio.rbac.v1alpha1.pb.html
index c37ceef23e..edc324f0e8 100644
--- a/rbac/v1alpha1/istio.rbac.v1alpha1.pb.html
+++ b/rbac/v1alpha1/istio.rbac.v1alpha1.pb.html
@@ -106,11 +106,10 @@ <h2 id="AccessRule">AccessRule</h2>
 <p>Optional. A list of HTTP paths or gRPC methods.
 gRPC methods must be presented as fully-qualified name in the form of
 &ldquo;/packageName.serviceName/methodName&rdquo; and are case sensitive.
-Exact match, prefix match, and suffix match are supported for paths.
-For example, the path &ldquo;/books/review&rdquo; matches
-&ldquo;/books/review&rdquo; (exact match), or &ldquo;/books/<em>&rdquo; (prefix match),
-or &ldquo;</em>/review&rdquo; (suffix match).
-If not specified, it applies to any path.</p>
+Exact match, prefix match, and suffix match are supported. For example,
+the path &ldquo;/books/review&rdquo; matches &ldquo;/books/review&rdquo; (exact match),
+or &ldquo;/books/<em>&rdquo; (prefix match), or &ldquo;</em>/review&rdquo; (suffix match).
+If not specified, it matches to any path.</p>
 
 </td>
 </tr>
@@ -120,7 +119,7 @@ <h2 id="AccessRule">AccessRule</h2>
 <td>
 <p>Optional. A list of HTTP methods (e.g., &ldquo;GET&rdquo;, &ldquo;POST&rdquo;).
 It is ignored in gRPC case because the value is always &ldquo;POST&rdquo;.
-If set to [&ldquo;*&rdquo;] or not specified, it applies to any method.</p>
+If not specified, it matches to any methods.</p>
 
 </td>
 </tr>
@@ -128,8 +127,7 @@ <h2 id="AccessRule">AccessRule</h2>
 <td><code>constraints</code></td>
 <td><code><a href="#AccessRule-Constraint">AccessRule.Constraint[]</a></code></td>
 <td>
-<p>Optional. Extra constraints in the ServiceRole specification.
-The above ServiceRole example shows an example of constraint &ldquo;version&rdquo;.</p>
+<p>Optional. Extra constraints in the ServiceRole specification.</p>
 
 </td>
 </tr>
@@ -162,10 +160,9 @@ <h2 id="AccessRule-Constraint">AccessRule.Constraint</h2>
 <td><code>string[]</code></td>
 <td>
 <p>List of valid values for the constraint.
-Exact match, prefix match, and suffix match are supported for constraint values.
-For example, the value &ldquo;v1alpha2&rdquo; matches
-&ldquo;v1alpha2&rdquo; (exact match), or &ldquo;v1<em>&rdquo; (prefix match),
-or &ldquo;</em>alpha2&rdquo; (suffix match).</p>
+Exact match, prefix match, and suffix match are supported.
+For example, the value &ldquo;v1alpha2&rdquo; matches &ldquo;v1alpha2&rdquo; (exact match),
+or &ldquo;v1<em>&rdquo; (prefix match), or &ldquo;</em>alpha2&rdquo; (suffix match).</p>
 
 </td>
 </tr>
@@ -335,8 +332,7 @@ <h2 id="RoleRef">RoleRef</h2>
 <td><code>string</code></td>
 <td>
 <p>Required. The name of the ServiceRole object being referenced.
-The ServiceRole object must be in the same namespace as the ServiceRoleBinding
-object.</p>
+The ServiceRole object must be in the same namespace as the ServiceRoleBinding object.</p>
 
 </td>
 </tr>
@@ -345,9 +341,7 @@ <h2 id="RoleRef">RoleRef</h2>
 </section>
 <h2 id="ServiceRole">ServiceRole</h2>
 <section>
-<p>ServiceRole specification contains a list of access rules (permissions).
-This represent the &ldquo;Spec&rdquo; part of the ServiceRole object. The name and namespace
-of the ServiceRole is specified in &ldquo;metadata&rdquo; section of the ServiceRole object.</p>
+<p>ServiceRole specification contains a list of access rules (permissions).</p>
 
 <table class="message-fields">
 <thead>
@@ -371,10 +365,7 @@ <h2 id="ServiceRole">ServiceRole</h2>
 </section>
 <h2 id="ServiceRoleBinding">ServiceRoleBinding</h2>
 <section>
-<p>ServiceRoleBinding assigns a ServiceRole to a list of subjects.
-This represents the &ldquo;Spec&rdquo; part of the ServiceRoleBinding object. The name and namespace
-of the ServiceRoleBinding is specified in &ldquo;metadata&rdquo; section of the ServiceRoleBinding
-object.</p>
+<p>ServiceRoleBinding assigns a ServiceRole to a list of subjects.</p>
 
 <table class="message-fields">
 <thead>
@@ -430,8 +421,7 @@ <h2 id="Subject">Subject</h2>
 <td><code>properties</code></td>
 <td><code>map&lt;string,&nbsp;string&gt;</code></td>
 <td>
-<p>Optional. The set of properties that identify the subject.
-The above ServiceRoleBinding example shows an example of property &ldquo;source.namespace&rdquo;.</p>
+<p>Optional. The set of properties that identify the subject.</p>
 
 </td>
 </tr>
diff --git a/rbac/v1alpha1/rbac.pb.go b/rbac/v1alpha1/rbac.pb.go
index b4f490610b..b194986bed 100644
--- a/rbac/v1alpha1/rbac.pb.go
+++ b/rbac/v1alpha1/rbac.pb.go
@@ -71,6 +71,8 @@
 		rbac/v1alpha1/rbac.proto
 
 	It has these top-level messages:
+		WorkloadSelector
+		AuthorizationPolicy
 		ServiceRole
 		AccessRule
 		ServiceRoleBinding
@@ -159,11 +161,74 @@ var RbacConfig_Mode_value = map[string]int32{
 func (x RbacConfig_Mode) String() string {
 	return proto.EnumName(RbacConfig_Mode_name, int32(x))
 }
-func (RbacConfig_Mode) EnumDescriptor() ([]byte, []int) { return fileDescriptorRbac, []int{5, 0} }
+func (RbacConfig_Mode) EnumDescriptor() ([]byte, []int) { return fileDescriptorRbac, []int{7, 0} }
+
+// $hide_from_docs
+// This is forked from the networking/v1alpha3/sidecar.proto to avoid a direct
+// dependency from the rbac API on networking API.
+// TODO: Move the WorkloadSelector to a common place to be shared by other packages.
+// WorkloadSelector specifies the criteria used to determine if the Gateway
+// or Sidecar resource can be applied to a proxy. The matching criteria
+// includes the metadata associated with a proxy, workload info such as
+// labels attached to the pod/VM, or any other info that the proxy provides
+// to Istio during the initial handshake. If multiple conditions are
+// specified, all conditions need to match in order for the workload to be
+// selected. Currently, only label based selection mechanism is supported.
+type WorkloadSelector struct {
+	// One or more labels that indicate a specific set of pods/VMs on which
+	// this sidecar configuration should be applied. The scope of label
+	// search is restricted to the configuration namespace in which the the
+	// resource is present.
+	Labels map[string]string `protobuf:"bytes,1,rep,name=labels" json:"labels,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+}
+
+func (m *WorkloadSelector) Reset()                    { *m = WorkloadSelector{} }
+func (m *WorkloadSelector) String() string            { return proto.CompactTextString(m) }
+func (*WorkloadSelector) ProtoMessage()               {}
+func (*WorkloadSelector) Descriptor() ([]byte, []int) { return fileDescriptorRbac, []int{0} }
+
+func (m *WorkloadSelector) GetLabels() map[string]string {
+	if m != nil {
+		return m.Labels
+	}
+	return nil
+}
+
+// $hide_from_docs
+// AuthorizationPolicy to enforce access control on a selected workload.
+type AuthorizationPolicy struct {
+	// $hide_from_docs
+	// Optional. One or more labels that indicate a specific set of pods/VMs
+	// on which this authorization policy should be applied. Leave this empty to
+	// select all pods/VMs.
+	// The scope of label search is platform dependent. On Kubernetes, for example,
+	// the scope includes pods running in the same namespace as the authorization policy itself.
+	WorkloadSelector *WorkloadSelector `protobuf:"bytes,1,opt,name=workload_selector,json=workloadSelector" json:"workload_selector,omitempty"`
+	// $hide_from_docs
+	// A list of bindings that specify the subjects and permissions to the selected workload.
+	Allow []*ServiceRoleBinding `protobuf:"bytes,2,rep,name=allow" json:"allow,omitempty"`
+}
+
+func (m *AuthorizationPolicy) Reset()                    { *m = AuthorizationPolicy{} }
+func (m *AuthorizationPolicy) String() string            { return proto.CompactTextString(m) }
+func (*AuthorizationPolicy) ProtoMessage()               {}
+func (*AuthorizationPolicy) Descriptor() ([]byte, []int) { return fileDescriptorRbac, []int{1} }
+
+func (m *AuthorizationPolicy) GetWorkloadSelector() *WorkloadSelector {
+	if m != nil {
+		return m.WorkloadSelector
+	}
+	return nil
+}
+
+func (m *AuthorizationPolicy) GetAllow() []*ServiceRoleBinding {
+	if m != nil {
+		return m.Allow
+	}
+	return nil
+}
 
 // ServiceRole specification contains a list of access rules (permissions).
-// This represent the "Spec" part of the ServiceRole object. The name and namespace
-// of the ServiceRole is specified in "metadata" section of the ServiceRole object.
 type ServiceRole struct {
 	// Required. The set of access rules (permissions) that the role has.
 	Rules []*AccessRule `protobuf:"bytes,1,rep,name=rules" json:"rules,omitempty"`
@@ -172,7 +237,7 @@ type ServiceRole struct {
 func (m *ServiceRole) Reset()                    { *m = ServiceRole{} }
 func (m *ServiceRole) String() string            { return proto.CompactTextString(m) }
 func (*ServiceRole) ProtoMessage()               {}
-func (*ServiceRole) Descriptor() ([]byte, []int) { return fileDescriptorRbac, []int{0} }
+func (*ServiceRole) Descriptor() ([]byte, []int) { return fileDescriptorRbac, []int{2} }
 
 func (m *ServiceRole) GetRules() []*AccessRule {
 	if m != nil {
@@ -190,28 +255,52 @@ type AccessRule struct {
 	// or "*.mtv.cluster.local" (suffix match).
 	// If set to ["*"], it refers to all services in the namespace.
 	Services []string `protobuf:"bytes,1,rep,name=services" json:"services,omitempty"`
+	// $hide_from_docs
+	// Optional. A list of HTTP hosts. This is matched against the HOST header in
+	// a HTTP request. Exact match, prefix match and suffix match are supported.
+	// For example, the host "test.abc.com" matches "test.abc.com" (exact match),
+	// or "*.abc.com" (prefix match), or "test.abc.*" (suffix match).
+	// If not specified, it matches to any host.
+	Hosts []string `protobuf:"bytes,5,rep,name=hosts" json:"hosts,omitempty"`
+	// $hide_from_docs
+	// Optional. A list of HTTP hosts that must not be matched.
+	NotHosts []string `protobuf:"bytes,6,rep,name=not_hosts,json=notHosts" json:"not_hosts,omitempty"`
 	// Optional. A list of HTTP paths or gRPC methods.
 	// gRPC methods must be presented as fully-qualified name in the form of
 	// "/packageName.serviceName/methodName" and are case sensitive.
-	// Exact match, prefix match, and suffix match are supported for paths.
-	// For example, the path "/books/review" matches
-	// "/books/review" (exact match), or "/books/*" (prefix match),
-	// or "*/review" (suffix match).
-	// If not specified, it applies to any path.
+	// Exact match, prefix match, and suffix match are supported. For example,
+	// the path "/books/review" matches "/books/review" (exact match),
+	// or "/books/*" (prefix match), or "*/review" (suffix match).
+	// If not specified, it matches to any path.
 	Paths []string `protobuf:"bytes,2,rep,name=paths" json:"paths,omitempty"`
+	// $hide_from_docs
+	// Optional. A list of HTTP paths or gRPC methods that must not be matched.
+	NotPaths []string `protobuf:"bytes,7,rep,name=not_paths,json=notPaths" json:"not_paths,omitempty"`
 	// Optional. A list of HTTP methods (e.g., "GET", "POST").
 	// It is ignored in gRPC case because the value is always "POST".
-	// If set to ["*"] or not specified, it applies to any method.
+	// If not specified, it matches to any methods.
 	Methods []string `protobuf:"bytes,3,rep,name=methods" json:"methods,omitempty"`
+	// $hide_from_docs
+	// Optional. A list of HTTP methods that must not be matched.
+	// Note: It's an error to set methods and not_methods at the same time.
+	NotMethods []string `protobuf:"bytes,8,rep,name=not_methods,json=notMethods" json:"not_methods,omitempty"`
+	// $hide_from_docs
+	// Optional. A list of port numbers of the request. If not specified, it matches
+	// to any port number.
+	// Note: It's an error to set ports and not_ports at the same time.
+	Ports []int32 `protobuf:"varint,9,rep,packed,name=ports" json:"ports,omitempty"`
+	// $hide_from_docs
+	// Optional.  A list of port numbers that must not be matched.
+	// Note: It's an error to set ports and not_ports at the same time.
+	NotPorts []int32 `protobuf:"varint,10,rep,packed,name=not_ports,json=notPorts" json:"not_ports,omitempty"`
 	// Optional. Extra constraints in the ServiceRole specification.
-	// The above ServiceRole example shows an example of constraint "version".
 	Constraints []*AccessRule_Constraint `protobuf:"bytes,4,rep,name=constraints" json:"constraints,omitempty"`
 }
 
 func (m *AccessRule) Reset()                    { *m = AccessRule{} }
 func (m *AccessRule) String() string            { return proto.CompactTextString(m) }
 func (*AccessRule) ProtoMessage()               {}
-func (*AccessRule) Descriptor() ([]byte, []int) { return fileDescriptorRbac, []int{1} }
+func (*AccessRule) Descriptor() ([]byte, []int) { return fileDescriptorRbac, []int{3} }
 
 func (m *AccessRule) GetServices() []string {
 	if m != nil {
@@ -220,6 +309,20 @@ func (m *AccessRule) GetServices() []string {
 	return nil
 }
 
+func (m *AccessRule) GetHosts() []string {
+	if m != nil {
+		return m.Hosts
+	}
+	return nil
+}
+
+func (m *AccessRule) GetNotHosts() []string {
+	if m != nil {
+		return m.NotHosts
+	}
+	return nil
+}
+
 func (m *AccessRule) GetPaths() []string {
 	if m != nil {
 		return m.Paths
@@ -227,6 +330,13 @@ func (m *AccessRule) GetPaths() []string {
 	return nil
 }
 
+func (m *AccessRule) GetNotPaths() []string {
+	if m != nil {
+		return m.NotPaths
+	}
+	return nil
+}
+
 func (m *AccessRule) GetMethods() []string {
 	if m != nil {
 		return m.Methods
@@ -234,6 +344,27 @@ func (m *AccessRule) GetMethods() []string {
 	return nil
 }
 
+func (m *AccessRule) GetNotMethods() []string {
+	if m != nil {
+		return m.NotMethods
+	}
+	return nil
+}
+
+func (m *AccessRule) GetPorts() []int32 {
+	if m != nil {
+		return m.Ports
+	}
+	return nil
+}
+
+func (m *AccessRule) GetNotPorts() []int32 {
+	if m != nil {
+		return m.NotPorts
+	}
+	return nil
+}
+
 func (m *AccessRule) GetConstraints() []*AccessRule_Constraint {
 	if m != nil {
 		return m.Constraints
@@ -246,17 +377,16 @@ type AccessRule_Constraint struct {
 	// Key of the constraint.
 	Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
 	// List of valid values for the constraint.
-	// Exact match, prefix match, and suffix match are supported for constraint values.
-	// For example, the value "v1alpha2" matches
-	// "v1alpha2" (exact match), or "v1*" (prefix match),
-	// or "*alpha2" (suffix match).
+	// Exact match, prefix match, and suffix match are supported.
+	// For example, the value "v1alpha2" matches "v1alpha2" (exact match),
+	// or "v1*" (prefix match), or "*alpha2" (suffix match).
 	Values []string `protobuf:"bytes,2,rep,name=values" json:"values,omitempty"`
 }
 
 func (m *AccessRule_Constraint) Reset()                    { *m = AccessRule_Constraint{} }
 func (m *AccessRule_Constraint) String() string            { return proto.CompactTextString(m) }
 func (*AccessRule_Constraint) ProtoMessage()               {}
-func (*AccessRule_Constraint) Descriptor() ([]byte, []int) { return fileDescriptorRbac, []int{1, 0} }
+func (*AccessRule_Constraint) Descriptor() ([]byte, []int) { return fileDescriptorRbac, []int{3, 0} }
 
 func (m *AccessRule_Constraint) GetKey() string {
 	if m != nil {
@@ -273,9 +403,6 @@ func (m *AccessRule_Constraint) GetValues() []string {
 }
 
 // ServiceRoleBinding assigns a ServiceRole to a list of subjects.
-// This represents the "Spec" part of the ServiceRoleBinding object. The name and namespace
-// of the ServiceRoleBinding is specified in "metadata" section of the ServiceRoleBinding
-// object.
 type ServiceRoleBinding struct {
 	// Required. List of subjects that are assigned the ServiceRole object.
 	Subjects []*Subject `protobuf:"bytes,1,rep,name=subjects" json:"subjects,omitempty"`
@@ -289,7 +416,7 @@ type ServiceRoleBinding struct {
 func (m *ServiceRoleBinding) Reset()                    { *m = ServiceRoleBinding{} }
 func (m *ServiceRoleBinding) String() string            { return proto.CompactTextString(m) }
 func (*ServiceRoleBinding) ProtoMessage()               {}
-func (*ServiceRoleBinding) Descriptor() ([]byte, []int) { return fileDescriptorRbac, []int{2} }
+func (*ServiceRoleBinding) Descriptor() ([]byte, []int) { return fileDescriptorRbac, []int{4} }
 
 func (m *ServiceRoleBinding) GetSubjects() []*Subject {
 	if m != nil {
@@ -318,17 +445,45 @@ type Subject struct {
 	// Optional. The user name/ID that the subject represents.
 	User string `protobuf:"bytes,1,opt,name=user,proto3" json:"user,omitempty"`
 	// $hide_from_docs
+	// Optional. A list of principals that the subject represents. This is matched to the
+	// `source.principal` attribute. If not specified, it applies to any principals.
+	Principals []string `protobuf:"bytes,4,rep,name=principals" json:"principals,omitempty"`
+	// $hide_from_docs
+	// Optional. A list of principals that must not be matched.
+	NotPrincipals []string `protobuf:"bytes,5,rep,name=not_principals,json=notPrincipals" json:"not_principals,omitempty"`
+	// $hide_from_docs
 	// Optional. The group that the subject belongs to.
+	// Deprecated. Use groups and not_groups instead.
 	Group string `protobuf:"bytes,2,opt,name=group,proto3" json:"group,omitempty"`
+	// $hide_from_docs
+	// Optional. A list of groups that the subject represents. This is matched to the
+	// `request.auth.claims[groups]` attribute. If not specified, it applies to any groups.
+	Groups []string `protobuf:"bytes,6,rep,name=groups" json:"groups,omitempty"`
+	// $hide_from_docs
+	// Optional. A list of groups that must not be matched.
+	NotGroups []string `protobuf:"bytes,7,rep,name=not_groups,json=notGroups" json:"not_groups,omitempty"`
+	// $hide_from_docs
+	// Optional. A list of namespaces that the subject represents. This is matched to
+	// the `source.namespace` attribute. If not specified, it applies to any namespaces.
+	Namespaces []string `protobuf:"bytes,8,rep,name=namespaces" json:"namespaces,omitempty"`
+	// $hide_from_docs
+	// Optional. A list of namespaces that must not be matched.
+	NotNamespaces []string `protobuf:"bytes,9,rep,name=not_namespaces,json=notNamespaces" json:"not_namespaces,omitempty"`
+	// $hide_from_docs
+	// Optional. A list of IP address or CIDR ranges that the subject represents.
+	// E.g. 192.168.100.2 or 10.1.0.0/16. If not specified, it applies to any IP addresses.
+	Ips []string `protobuf:"bytes,10,rep,name=ips" json:"ips,omitempty"`
+	// $hide_from_docs
+	// Optional. A list of IP addresses or CIDR ranges that must not be matched.
+	NotIps []string `protobuf:"bytes,11,rep,name=not_ips,json=notIps" json:"not_ips,omitempty"`
 	// Optional. The set of properties that identify the subject.
-	// The above ServiceRoleBinding example shows an example of property "source.namespace".
 	Properties map[string]string `protobuf:"bytes,3,rep,name=properties" json:"properties,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
 }
 
 func (m *Subject) Reset()                    { *m = Subject{} }
 func (m *Subject) String() string            { return proto.CompactTextString(m) }
 func (*Subject) ProtoMessage()               {}
-func (*Subject) Descriptor() ([]byte, []int) { return fileDescriptorRbac, []int{3} }
+func (*Subject) Descriptor() ([]byte, []int) { return fileDescriptorRbac, []int{5} }
 
 func (m *Subject) GetUser() string {
 	if m != nil {
@@ -337,6 +492,20 @@ func (m *Subject) GetUser() string {
 	return ""
 }
 
+func (m *Subject) GetPrincipals() []string {
+	if m != nil {
+		return m.Principals
+	}
+	return nil
+}
+
+func (m *Subject) GetNotPrincipals() []string {
+	if m != nil {
+		return m.NotPrincipals
+	}
+	return nil
+}
+
 func (m *Subject) GetGroup() string {
 	if m != nil {
 		return m.Group
@@ -344,6 +513,48 @@ func (m *Subject) GetGroup() string {
 	return ""
 }
 
+func (m *Subject) GetGroups() []string {
+	if m != nil {
+		return m.Groups
+	}
+	return nil
+}
+
+func (m *Subject) GetNotGroups() []string {
+	if m != nil {
+		return m.NotGroups
+	}
+	return nil
+}
+
+func (m *Subject) GetNamespaces() []string {
+	if m != nil {
+		return m.Namespaces
+	}
+	return nil
+}
+
+func (m *Subject) GetNotNamespaces() []string {
+	if m != nil {
+		return m.NotNamespaces
+	}
+	return nil
+}
+
+func (m *Subject) GetIps() []string {
+	if m != nil {
+		return m.Ips
+	}
+	return nil
+}
+
+func (m *Subject) GetNotIps() []string {
+	if m != nil {
+		return m.NotIps
+	}
+	return nil
+}
+
 func (m *Subject) GetProperties() map[string]string {
 	if m != nil {
 		return m.Properties
@@ -357,15 +568,14 @@ type RoleRef struct {
 	// Currently, "ServiceRole" is the only supported value for "kind".
 	Kind string `protobuf:"bytes,1,opt,name=kind,proto3" json:"kind,omitempty"`
 	// Required. The name of the ServiceRole object being referenced.
-	// The ServiceRole object must be in the same namespace as the ServiceRoleBinding
-	// object.
+	// The ServiceRole object must be in the same namespace as the ServiceRoleBinding object.
 	Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
 }
 
 func (m *RoleRef) Reset()                    { *m = RoleRef{} }
 func (m *RoleRef) String() string            { return proto.CompactTextString(m) }
 func (*RoleRef) ProtoMessage()               {}
-func (*RoleRef) Descriptor() ([]byte, []int) { return fileDescriptorRbac, []int{4} }
+func (*RoleRef) Descriptor() ([]byte, []int) { return fileDescriptorRbac, []int{6} }
 
 func (m *RoleRef) GetKind() string {
 	if m != nil {
@@ -422,7 +632,7 @@ type RbacConfig struct {
 func (m *RbacConfig) Reset()                    { *m = RbacConfig{} }
 func (m *RbacConfig) String() string            { return proto.CompactTextString(m) }
 func (*RbacConfig) ProtoMessage()               {}
-func (*RbacConfig) Descriptor() ([]byte, []int) { return fileDescriptorRbac, []int{5} }
+func (*RbacConfig) Descriptor() ([]byte, []int) { return fileDescriptorRbac, []int{7} }
 
 func (m *RbacConfig) GetMode() RbacConfig_Mode {
 	if m != nil {
@@ -456,6 +666,9 @@ func (m *RbacConfig) GetEnforcementMode() EnforcementMode {
 type RbacConfig_Target struct {
 	// A list of services.
 	Services []string `protobuf:"bytes,1,rep,name=services" json:"services,omitempty"`
+	// $hide_from_docs
+	// A list of workloads.
+	WorkloadSelectors []*WorkloadSelector `protobuf:"bytes,3,rep,name=workload_selectors,json=workloadSelectors" json:"workload_selectors,omitempty"`
 	// A list of namespaces.
 	Namespaces []string `protobuf:"bytes,2,rep,name=namespaces" json:"namespaces,omitempty"`
 }
@@ -463,7 +676,7 @@ type RbacConfig_Target struct {
 func (m *RbacConfig_Target) Reset()                    { *m = RbacConfig_Target{} }
 func (m *RbacConfig_Target) String() string            { return proto.CompactTextString(m) }
 func (*RbacConfig_Target) ProtoMessage()               {}
-func (*RbacConfig_Target) Descriptor() ([]byte, []int) { return fileDescriptorRbac, []int{5, 0} }
+func (*RbacConfig_Target) Descriptor() ([]byte, []int) { return fileDescriptorRbac, []int{7, 0} }
 
 func (m *RbacConfig_Target) GetServices() []string {
 	if m != nil {
@@ -472,6 +685,13 @@ func (m *RbacConfig_Target) GetServices() []string {
 	return nil
 }
 
+func (m *RbacConfig_Target) GetWorkloadSelectors() []*WorkloadSelector {
+	if m != nil {
+		return m.WorkloadSelectors
+	}
+	return nil
+}
+
 func (m *RbacConfig_Target) GetNamespaces() []string {
 	if m != nil {
 		return m.Namespaces
@@ -480,6 +700,8 @@ func (m *RbacConfig_Target) GetNamespaces() []string {
 }
 
 func init() {
+	proto.RegisterType((*WorkloadSelector)(nil), "istio.rbac.v1alpha1.WorkloadSelector")
+	proto.RegisterType((*AuthorizationPolicy)(nil), "istio.rbac.v1alpha1.AuthorizationPolicy")
 	proto.RegisterType((*ServiceRole)(nil), "istio.rbac.v1alpha1.ServiceRole")
 	proto.RegisterType((*AccessRule)(nil), "istio.rbac.v1alpha1.AccessRule")
 	proto.RegisterType((*AccessRule_Constraint)(nil), "istio.rbac.v1alpha1.AccessRule.Constraint")
@@ -491,6 +713,81 @@ func init() {
 	proto.RegisterEnum("istio.rbac.v1alpha1.EnforcementMode", EnforcementMode_name, EnforcementMode_value)
 	proto.RegisterEnum("istio.rbac.v1alpha1.RbacConfig_Mode", RbacConfig_Mode_name, RbacConfig_Mode_value)
 }
+func (m *WorkloadSelector) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *WorkloadSelector) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Labels) > 0 {
+		for k, _ := range m.Labels {
+			dAtA[i] = 0xa
+			i++
+			v := m.Labels[k]
+			mapSize := 1 + len(k) + sovRbac(uint64(len(k))) + 1 + len(v) + sovRbac(uint64(len(v)))
+			i = encodeVarintRbac(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintRbac(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintRbac(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	return i, nil
+}
+
+func (m *AuthorizationPolicy) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *AuthorizationPolicy) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.WorkloadSelector != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintRbac(dAtA, i, uint64(m.WorkloadSelector.Size()))
+		n1, err := m.WorkloadSelector.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n1
+	}
+	if len(m.Allow) > 0 {
+		for _, msg := range m.Allow {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintRbac(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
 func (m *ServiceRole) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
 	dAtA = make([]byte, size)
@@ -593,6 +890,102 @@ func (m *AccessRule) MarshalTo(dAtA []byte) (int, error) {
 			i += n
 		}
 	}
+	if len(m.Hosts) > 0 {
+		for _, s := range m.Hosts {
+			dAtA[i] = 0x2a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.NotHosts) > 0 {
+		for _, s := range m.NotHosts {
+			dAtA[i] = 0x32
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.NotPaths) > 0 {
+		for _, s := range m.NotPaths {
+			dAtA[i] = 0x3a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.NotMethods) > 0 {
+		for _, s := range m.NotMethods {
+			dAtA[i] = 0x42
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Ports) > 0 {
+		dAtA3 := make([]byte, len(m.Ports)*10)
+		var j2 int
+		for _, num1 := range m.Ports {
+			num := uint64(num1)
+			for num >= 1<<7 {
+				dAtA3[j2] = uint8(uint64(num)&0x7f | 0x80)
+				num >>= 7
+				j2++
+			}
+			dAtA3[j2] = uint8(num)
+			j2++
+		}
+		dAtA[i] = 0x4a
+		i++
+		i = encodeVarintRbac(dAtA, i, uint64(j2))
+		i += copy(dAtA[i:], dAtA3[:j2])
+	}
+	if len(m.NotPorts) > 0 {
+		dAtA5 := make([]byte, len(m.NotPorts)*10)
+		var j4 int
+		for _, num1 := range m.NotPorts {
+			num := uint64(num1)
+			for num >= 1<<7 {
+				dAtA5[j4] = uint8(uint64(num)&0x7f | 0x80)
+				num >>= 7
+				j4++
+			}
+			dAtA5[j4] = uint8(num)
+			j4++
+		}
+		dAtA[i] = 0x52
+		i++
+		i = encodeVarintRbac(dAtA, i, uint64(j4))
+		i += copy(dAtA[i:], dAtA5[:j4])
+	}
 	return i, nil
 }
 
@@ -666,11 +1059,11 @@ func (m *ServiceRoleBinding) MarshalTo(dAtA []byte) (int, error) {
 		dAtA[i] = 0x12
 		i++
 		i = encodeVarintRbac(dAtA, i, uint64(m.RoleRef.Size()))
-		n1, err := m.RoleRef.MarshalTo(dAtA[i:])
+		n6, err := m.RoleRef.MarshalTo(dAtA[i:])
 		if err != nil {
 			return 0, err
 		}
-		i += n1
+		i += n6
 	}
 	if m.Mode != 0 {
 		dAtA[i] = 0x18
@@ -724,21 +1117,141 @@ func (m *Subject) MarshalTo(dAtA []byte) (int, error) {
 			i += copy(dAtA[i:], v)
 		}
 	}
-	return i, nil
-}
-
-func (m *RoleRef) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalTo(dAtA)
-	if err != nil {
-		return nil, err
+	if len(m.Principals) > 0 {
+		for _, s := range m.Principals {
+			dAtA[i] = 0x22
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
 	}
-	return dAtA[:n], nil
-}
-
-func (m *RoleRef) MarshalTo(dAtA []byte) (int, error) {
-	var i int
+	if len(m.NotPrincipals) > 0 {
+		for _, s := range m.NotPrincipals {
+			dAtA[i] = 0x2a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Groups) > 0 {
+		for _, s := range m.Groups {
+			dAtA[i] = 0x32
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.NotGroups) > 0 {
+		for _, s := range m.NotGroups {
+			dAtA[i] = 0x3a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Namespaces) > 0 {
+		for _, s := range m.Namespaces {
+			dAtA[i] = 0x42
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.NotNamespaces) > 0 {
+		for _, s := range m.NotNamespaces {
+			dAtA[i] = 0x4a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Ips) > 0 {
+		for _, s := range m.Ips {
+			dAtA[i] = 0x52
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.NotIps) > 0 {
+		for _, s := range m.NotIps {
+			dAtA[i] = 0x5a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *RoleRef) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RoleRef) MarshalTo(dAtA []byte) (int, error) {
+	var i int
 	_ = i
 	var l int
 	_ = l
@@ -781,21 +1294,21 @@ func (m *RbacConfig) MarshalTo(dAtA []byte) (int, error) {
 		dAtA[i] = 0x12
 		i++
 		i = encodeVarintRbac(dAtA, i, uint64(m.Inclusion.Size()))
-		n2, err := m.Inclusion.MarshalTo(dAtA[i:])
+		n7, err := m.Inclusion.MarshalTo(dAtA[i:])
 		if err != nil {
 			return 0, err
 		}
-		i += n2
+		i += n7
 	}
 	if m.Exclusion != nil {
 		dAtA[i] = 0x1a
 		i++
 		i = encodeVarintRbac(dAtA, i, uint64(m.Exclusion.Size()))
-		n3, err := m.Exclusion.MarshalTo(dAtA[i:])
+		n8, err := m.Exclusion.MarshalTo(dAtA[i:])
 		if err != nil {
 			return 0, err
 		}
-		i += n3
+		i += n8
 	}
 	if m.EnforcementMode != 0 {
 		dAtA[i] = 0x20
@@ -850,6 +1363,18 @@ func (m *RbacConfig_Target) MarshalTo(dAtA []byte) (int, error) {
 			i += copy(dAtA[i:], s)
 		}
 	}
+	if len(m.WorkloadSelectors) > 0 {
+		for _, msg := range m.WorkloadSelectors {
+			dAtA[i] = 0x1a
+			i++
+			i = encodeVarintRbac(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
 	return i, nil
 }
 
@@ -862,6 +1387,36 @@ func encodeVarintRbac(dAtA []byte, offset int, v uint64) int {
 	dAtA[offset] = uint8(v)
 	return offset + 1
 }
+func (m *WorkloadSelector) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Labels) > 0 {
+		for k, v := range m.Labels {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovRbac(uint64(len(k))) + 1 + len(v) + sovRbac(uint64(len(v)))
+			n += mapEntrySize + 1 + sovRbac(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func (m *AuthorizationPolicy) Size() (n int) {
+	var l int
+	_ = l
+	if m.WorkloadSelector != nil {
+		l = m.WorkloadSelector.Size()
+		n += 1 + l + sovRbac(uint64(l))
+	}
+	if len(m.Allow) > 0 {
+		for _, e := range m.Allow {
+			l = e.Size()
+			n += 1 + l + sovRbac(uint64(l))
+		}
+	}
+	return n
+}
+
 func (m *ServiceRole) Size() (n int) {
 	var l int
 	_ = l
@@ -901,6 +1456,44 @@ func (m *AccessRule) Size() (n int) {
 			n += 1 + l + sovRbac(uint64(l))
 		}
 	}
+	if len(m.Hosts) > 0 {
+		for _, s := range m.Hosts {
+			l = len(s)
+			n += 1 + l + sovRbac(uint64(l))
+		}
+	}
+	if len(m.NotHosts) > 0 {
+		for _, s := range m.NotHosts {
+			l = len(s)
+			n += 1 + l + sovRbac(uint64(l))
+		}
+	}
+	if len(m.NotPaths) > 0 {
+		for _, s := range m.NotPaths {
+			l = len(s)
+			n += 1 + l + sovRbac(uint64(l))
+		}
+	}
+	if len(m.NotMethods) > 0 {
+		for _, s := range m.NotMethods {
+			l = len(s)
+			n += 1 + l + sovRbac(uint64(l))
+		}
+	}
+	if len(m.Ports) > 0 {
+		l = 0
+		for _, e := range m.Ports {
+			l += sovRbac(uint64(e))
+		}
+		n += 1 + sovRbac(uint64(l)) + l
+	}
+	if len(m.NotPorts) > 0 {
+		l = 0
+		for _, e := range m.NotPorts {
+			l += sovRbac(uint64(e))
+		}
+		n += 1 + sovRbac(uint64(l)) + l
+	}
 	return n
 }
 
@@ -958,6 +1551,54 @@ func (m *Subject) Size() (n int) {
 			n += mapEntrySize + 1 + sovRbac(uint64(mapEntrySize))
 		}
 	}
+	if len(m.Principals) > 0 {
+		for _, s := range m.Principals {
+			l = len(s)
+			n += 1 + l + sovRbac(uint64(l))
+		}
+	}
+	if len(m.NotPrincipals) > 0 {
+		for _, s := range m.NotPrincipals {
+			l = len(s)
+			n += 1 + l + sovRbac(uint64(l))
+		}
+	}
+	if len(m.Groups) > 0 {
+		for _, s := range m.Groups {
+			l = len(s)
+			n += 1 + l + sovRbac(uint64(l))
+		}
+	}
+	if len(m.NotGroups) > 0 {
+		for _, s := range m.NotGroups {
+			l = len(s)
+			n += 1 + l + sovRbac(uint64(l))
+		}
+	}
+	if len(m.Namespaces) > 0 {
+		for _, s := range m.Namespaces {
+			l = len(s)
+			n += 1 + l + sovRbac(uint64(l))
+		}
+	}
+	if len(m.NotNamespaces) > 0 {
+		for _, s := range m.NotNamespaces {
+			l = len(s)
+			n += 1 + l + sovRbac(uint64(l))
+		}
+	}
+	if len(m.Ips) > 0 {
+		for _, s := range m.Ips {
+			l = len(s)
+			n += 1 + l + sovRbac(uint64(l))
+		}
+	}
+	if len(m.NotIps) > 0 {
+		for _, s := range m.NotIps {
+			l = len(s)
+			n += 1 + l + sovRbac(uint64(l))
+		}
+	}
 	return n
 }
 
@@ -1010,6 +1651,12 @@ func (m *RbacConfig_Target) Size() (n int) {
 			n += 1 + l + sovRbac(uint64(l))
 		}
 	}
+	if len(m.WorkloadSelectors) > 0 {
+		for _, e := range m.WorkloadSelectors {
+			l = e.Size()
+			n += 1 + l + sovRbac(uint64(l))
+		}
+	}
 	return n
 }
 
@@ -1026,7 +1673,7 @@ func sovRbac(x uint64) (n int) {
 func sozRbac(x uint64) (n int) {
 	return sovRbac(uint64((x << 1) ^ uint64((int64(x) >> 63))))
 }
-func (m *ServiceRole) Unmarshal(dAtA []byte) error {
+func (m *WorkloadSelector) Unmarshal(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
 	for iNdEx < l {
@@ -1049,15 +1696,15 @@ func (m *ServiceRole) Unmarshal(dAtA []byte) error {
 		fieldNum := int32(wire >> 3)
 		wireType := int(wire & 0x7)
 		if wireType == 4 {
-			return fmt.Errorf("proto: ServiceRole: wiretype end group for non-group")
+			return fmt.Errorf("proto: WorkloadSelector: wiretype end group for non-group")
 		}
 		if fieldNum <= 0 {
-			return fmt.Errorf("proto: ServiceRole: illegal tag %d (wire type %d)", fieldNum, wire)
+			return fmt.Errorf("proto: WorkloadSelector: illegal tag %d (wire type %d)", fieldNum, wire)
 		}
 		switch fieldNum {
 		case 1:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Rules", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Labels", wireType)
 			}
 			var msglen int
 			for shift := uint(0); ; shift += 7 {
@@ -1081,68 +1728,350 @@ func (m *ServiceRole) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Rules = append(m.Rules, &AccessRule{})
-			if err := m.Rules[len(m.Rules)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipRbac(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if skippy < 0 {
-				return ErrInvalidLengthRbac
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
-
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func (m *AccessRule) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowRbac
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= (uint64(b) & 0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: AccessRule: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: AccessRule: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Services", wireType)
+			if m.Labels == nil {
+				m.Labels = make(map[string]string)
 			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowRbac
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowRbac
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthRbac
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowRbac
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthRbac
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipRbac(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthRbac
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.Labels[mapkey] = mapvalue
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipRbac(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthRbac
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *AuthorizationPolicy) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowRbac
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: AuthorizationPolicy: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: AuthorizationPolicy: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field WorkloadSelector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowRbac
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthRbac
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.WorkloadSelector == nil {
+				m.WorkloadSelector = &WorkloadSelector{}
+			}
+			if err := m.WorkloadSelector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Allow", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowRbac
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthRbac
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Allow = append(m.Allow, &ServiceRoleBinding{})
+			if err := m.Allow[len(m.Allow)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipRbac(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthRbac
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ServiceRole) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowRbac
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ServiceRole: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ServiceRole: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Rules", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowRbac
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthRbac
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Rules = append(m.Rules, &AccessRule{})
+			if err := m.Rules[len(m.Rules)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipRbac(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthRbac
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *AccessRule) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowRbac
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: AccessRule: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: AccessRule: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Services", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
 					return ErrIntOverflowRbac
 				}
 				if iNdEx >= l {
@@ -1242,18 +2171,258 @@ func (m *AccessRule) Unmarshal(dAtA []byte) error {
 					break
 				}
 			}
-			if msglen < 0 {
-				return ErrInvalidLengthRbac
-			}
-			postIndex := iNdEx + msglen
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Constraints = append(m.Constraints, &AccessRule_Constraint{})
-			if err := m.Constraints[len(m.Constraints)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
+			if msglen < 0 {
+				return ErrInvalidLengthRbac
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Constraints = append(m.Constraints, &AccessRule_Constraint{})
+			if err := m.Constraints[len(m.Constraints)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Hosts", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowRbac
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthRbac
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Hosts = append(m.Hosts, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NotHosts", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowRbac
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthRbac
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.NotHosts = append(m.NotHosts, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NotPaths", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowRbac
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthRbac
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.NotPaths = append(m.NotPaths, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NotMethods", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowRbac
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthRbac
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.NotMethods = append(m.NotMethods, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 9:
+			if wireType == 0 {
+				var v int32
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowRbac
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					v |= (int32(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				m.Ports = append(m.Ports, v)
+			} else if wireType == 2 {
+				var packedLen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowRbac
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					packedLen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if packedLen < 0 {
+					return ErrInvalidLengthRbac
+				}
+				postIndex := iNdEx + packedLen
+				if postIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				for iNdEx < postIndex {
+					var v int32
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowRbac
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						v |= (int32(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					m.Ports = append(m.Ports, v)
+				}
+			} else {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ports", wireType)
+			}
+		case 10:
+			if wireType == 0 {
+				var v int32
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowRbac
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					v |= (int32(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				m.NotPorts = append(m.NotPorts, v)
+			} else if wireType == 2 {
+				var packedLen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowRbac
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					packedLen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if packedLen < 0 {
+					return ErrInvalidLengthRbac
+				}
+				postIndex := iNdEx + packedLen
+				if postIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				for iNdEx < postIndex {
+					var v int32
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowRbac
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						v |= (int32(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					m.NotPorts = append(m.NotPorts, v)
+				}
+			} else {
+				return fmt.Errorf("proto: wrong wireType = %d for field NotPorts", wireType)
+			}
 		default:
 			iNdEx = preIndex
 			skippy, err := skipRbac(dAtA[iNdEx:])
@@ -1721,6 +2890,238 @@ func (m *Subject) Unmarshal(dAtA []byte) error {
 			}
 			m.Properties[mapkey] = mapvalue
 			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Principals", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowRbac
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthRbac
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Principals = append(m.Principals, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NotPrincipals", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowRbac
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthRbac
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.NotPrincipals = append(m.NotPrincipals, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Groups", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowRbac
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthRbac
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Groups = append(m.Groups, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NotGroups", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowRbac
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthRbac
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.NotGroups = append(m.NotGroups, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Namespaces", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowRbac
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthRbac
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Namespaces = append(m.Namespaces, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 9:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NotNamespaces", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowRbac
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthRbac
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.NotNamespaces = append(m.NotNamespaces, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 10:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ips", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowRbac
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthRbac
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ips = append(m.Ips, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 11:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NotIps", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowRbac
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthRbac
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.NotIps = append(m.NotIps, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipRbac(dAtA[iNdEx:])
@@ -2091,6 +3492,37 @@ func (m *RbacConfig_Target) Unmarshal(dAtA []byte) error {
 			}
 			m.Namespaces = append(m.Namespaces, string(dAtA[iNdEx:postIndex]))
 			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field WorkloadSelectors", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowRbac
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthRbac
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.WorkloadSelectors = append(m.WorkloadSelectors, &WorkloadSelector{})
+			if err := m.WorkloadSelectors[len(m.WorkloadSelectors)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipRbac(dAtA[iNdEx:])
@@ -2220,44 +3652,62 @@ var (
 func init() { proto.RegisterFile("rbac/v1alpha1/rbac.proto", fileDescriptorRbac) }
 
 var fileDescriptorRbac = []byte{
-	// 615 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x54, 0xdd, 0x6a, 0xdb, 0x4c,
-	0x10, 0xcd, 0x5a, 0x8e, 0x1d, 0x8f, 0x3f, 0x12, 0x7d, 0xdb, 0xb4, 0x08, 0x53, 0x5c, 0x63, 0x4a,
-	0x31, 0xa1, 0xc8, 0x24, 0xa5, 0x21, 0x14, 0x7a, 0xd1, 0xd8, 0x0a, 0x35, 0x24, 0x56, 0x58, 0xa7,
-	0x3f, 0xf4, 0x26, 0xc8, 0xf2, 0xc6, 0xd9, 0x46, 0xde, 0x15, 0xbb, 0x52, 0x68, 0xde, 0xaa, 0x8f,
-	0xd0, 0xcb, 0x5e, 0xf6, 0x09, 0x4a, 0xc9, 0x93, 0x14, 0xad, 0x2c, 0xc9, 0x09, 0x6e, 0x42, 0xee,
-	0x66, 0xce, 0xcc, 0x19, 0x9f, 0x39, 0x63, 0x2d, 0x58, 0x72, 0xec, 0xf9, 0xdd, 0xcb, 0x6d, 0x2f,
-	0x08, 0xcf, 0xbd, 0xed, 0x6e, 0x92, 0xd9, 0xa1, 0x14, 0x91, 0xc0, 0x8f, 0x98, 0x8a, 0x98, 0xb0,
-	0x35, 0x92, 0xd5, 0xdb, 0x7d, 0xa8, 0x8f, 0xa8, 0xbc, 0x64, 0x3e, 0x25, 0x22, 0xa0, 0xf8, 0x35,
-	0xac, 0xca, 0x38, 0xa0, 0xca, 0x42, 0x2d, 0xa3, 0x53, 0xdf, 0x79, 0x66, 0x2f, 0xe1, 0xd8, 0xef,
-	0x7c, 0x9f, 0x2a, 0x45, 0xe2, 0x80, 0x92, 0xb4, 0xbb, 0xfd, 0x1b, 0x01, 0x14, 0x28, 0x6e, 0xc0,
-	0x9a, 0x4a, 0x87, 0xa6, 0x83, 0x6a, 0x24, 0xcf, 0xf1, 0x26, 0xac, 0x86, 0x5e, 0x74, 0xae, 0xac,
-	0x92, 0x2e, 0xa4, 0x09, 0xb6, 0xa0, 0x3a, 0xa3, 0xd1, 0xb9, 0x98, 0x28, 0xcb, 0xd0, 0x78, 0x96,
-	0xe2, 0x43, 0xa8, 0xfb, 0x82, 0xab, 0x48, 0x7a, 0x8c, 0x47, 0xca, 0x2a, 0x6b, 0x5d, 0x5b, 0xf7,
-	0xe8, 0xb2, 0x7b, 0x39, 0x85, 0x2c, 0xd2, 0x1b, 0xbb, 0x00, 0x45, 0x09, 0x9b, 0x60, 0x5c, 0xd0,
-	0x2b, 0x0b, 0xb5, 0x50, 0xa7, 0x46, 0x92, 0x10, 0x3f, 0x81, 0xca, 0xa5, 0x17, 0xc4, 0x34, 0x93,
-	0x37, 0xcf, 0xda, 0x3f, 0x10, 0xe0, 0x05, 0x9f, 0xf6, 0x19, 0x9f, 0x30, 0x3e, 0xc5, 0x7b, 0xb0,
-	0xa6, 0xe2, 0xf1, 0x57, 0xea, 0x47, 0x99, 0x63, 0x4f, 0x97, 0x2a, 0x1b, 0xa5, 0x4d, 0x24, 0xef,
-	0xc6, 0xbb, 0x50, 0x95, 0x22, 0xa0, 0x84, 0x9e, 0x59, 0xa5, 0x16, 0xfa, 0x27, 0x91, 0xa4, 0x3d,
-	0x24, 0x6b, 0xc6, 0x7b, 0x50, 0x9e, 0x89, 0x09, 0xb5, 0x8c, 0x16, 0xea, 0xac, 0xef, 0x3c, 0x5f,
-	0x4a, 0x72, 0xf8, 0x99, 0x90, 0x3e, 0x9d, 0x51, 0x1e, 0x1d, 0x89, 0x09, 0x25, 0x9a, 0x91, 0xac,
-	0x50, 0x9d, 0xeb, 0xc0, 0x18, 0xca, 0xb1, 0xa2, 0x72, 0xbe, 0xb9, 0x8e, 0x93, 0xc3, 0x4c, 0xa5,
-	0x88, 0x43, 0xad, 0xa7, 0x46, 0xd2, 0x04, 0x1f, 0x02, 0x84, 0x52, 0x84, 0x54, 0x46, 0x8c, 0xa6,
-	0xb7, 0xa9, 0xef, 0xbc, 0xbc, 0x6b, 0x47, 0xfb, 0x38, 0x6f, 0x77, 0x78, 0x24, 0xaf, 0xc8, 0x02,
-	0xbf, 0xf1, 0x16, 0x36, 0x6e, 0x95, 0x97, 0xdc, 0x60, 0x13, 0x56, 0xb5, 0xeb, 0x99, 0x10, 0x9d,
-	0xbc, 0x29, 0xed, 0xa1, 0xf6, 0x36, 0x54, 0xe7, 0x86, 0x24, 0x1b, 0x5c, 0x30, 0x3e, 0xc9, 0x36,
-	0x48, 0xe2, 0x04, 0xe3, 0xde, 0x2c, 0xe3, 0xe9, 0xb8, 0xfd, 0xdd, 0x00, 0x20, 0x63, 0xcf, 0xef,
-	0x09, 0x7e, 0xc6, 0xa6, 0xb9, 0x7d, 0xe8, 0x0e, 0xfb, 0x8a, 0x76, 0xbb, 0xb0, 0x0f, 0xf7, 0xa1,
-	0xc6, 0xb8, 0x1f, 0xc4, 0x8a, 0x09, 0x3e, 0x3f, 0xd9, 0x8b, 0xfb, 0xe8, 0x27, 0x9e, 0x9c, 0xd2,
-	0x88, 0x14, 0xc4, 0x64, 0x0a, 0xfd, 0x96, 0x4d, 0x31, 0x1e, 0x36, 0x25, 0x27, 0x62, 0x17, 0x4c,
-	0x5a, 0xdc, 0xf8, 0x54, 0x6f, 0x54, 0x7e, 0xc0, 0x1f, 0x62, 0x83, 0xde, 0x04, 0x1a, 0x7d, 0xa8,
-	0xa4, 0xbf, 0x72, 0xe7, 0xa7, 0xdb, 0x04, 0x48, 0x3c, 0x55, 0xa1, 0xe7, 0xe7, 0x1f, 0xc8, 0x02,
-	0xd2, 0x76, 0xa0, 0x9c, 0x4c, 0xc3, 0x55, 0x30, 0xdc, 0x83, 0x03, 0x73, 0x05, 0x57, 0xa0, 0xe4,
-	0x0e, 0x4d, 0x84, 0x1f, 0xc3, 0xff, 0xee, 0xf0, 0xf4, 0xd3, 0xe0, 0xe4, 0xfd, 0xe9, 0x60, 0xd8,
-	0x3b, 0xfc, 0x30, 0x1a, 0xb8, 0x43, 0xb3, 0xb4, 0x08, 0x3b, 0x9f, 0x33, 0xd8, 0xd8, 0xea, 0xc2,
-	0xc6, 0x2d, 0xc1, 0xf8, 0x3f, 0x58, 0x73, 0x86, 0x07, 0x2e, 0xe9, 0x39, 0x7d, 0x73, 0x05, 0xaf,
-	0x03, 0x1c, 0x3b, 0xe4, 0x68, 0x30, 0x1a, 0x0d, 0x3e, 0x3a, 0x26, 0xda, 0xef, 0xfc, 0xbc, 0x6e,
-	0xa2, 0x5f, 0xd7, 0x4d, 0xf4, 0xe7, 0xba, 0x89, 0xbe, 0x34, 0x52, 0x07, 0x98, 0xe8, 0x7a, 0x21,
-	0xeb, 0xde, 0x78, 0x0d, 0xc7, 0x15, 0xfd, 0x12, 0xbe, 0xfa, 0x1b, 0x00, 0x00, 0xff, 0xff, 0x00,
-	0xdb, 0x22, 0xbc, 0x25, 0x05, 0x00, 0x00,
+	// 909 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x56, 0xdd, 0x6e, 0x23, 0x35,
+	0x14, 0xde, 0xc9, 0xe4, 0xa7, 0x39, 0x81, 0x76, 0xea, 0x85, 0x65, 0x14, 0x20, 0x5b, 0x45, 0x2c,
+	0x44, 0x2b, 0x94, 0xa8, 0x45, 0xac, 0x0a, 0xd2, 0x5e, 0x6c, 0xdb, 0x94, 0x8d, 0xd4, 0x26, 0x95,
+	0x53, 0x58, 0xc4, 0x4d, 0x34, 0x99, 0xb8, 0x8d, 0xe9, 0xd4, 0x1e, 0xd9, 0x4e, 0x4b, 0xb9, 0xe4,
+	0x86, 0x57, 0x40, 0x3c, 0x01, 0x0f, 0xc0, 0x03, 0x70, 0xc9, 0x25, 0x8f, 0x80, 0xfa, 0x24, 0xc8,
+	0xf6, 0xfc, 0xa4, 0x69, 0xe8, 0xb6, 0x77, 0x3e, 0xdf, 0x39, 0xdf, 0x39, 0x9f, 0xed, 0xcf, 0x99,
+	0x80, 0x2f, 0xc6, 0x41, 0xd8, 0xb9, 0xd8, 0x0c, 0xa2, 0x78, 0x1a, 0x6c, 0x76, 0x74, 0xd4, 0x8e,
+	0x05, 0x57, 0x1c, 0x3d, 0xa6, 0x52, 0x51, 0xde, 0x36, 0x48, 0x9a, 0x6f, 0xfe, 0xe6, 0x80, 0xf7,
+	0x86, 0x8b, 0xb3, 0x88, 0x07, 0x93, 0x21, 0x89, 0x48, 0xa8, 0xb8, 0x40, 0x3d, 0x28, 0x47, 0xc1,
+	0x98, 0x44, 0xd2, 0x77, 0x36, 0xdc, 0x56, 0x6d, 0x6b, 0xb3, 0xbd, 0x84, 0xda, 0x5e, 0xa4, 0xb5,
+	0x0f, 0x0c, 0xa7, 0xcb, 0x94, 0xb8, 0xc2, 0x49, 0x83, 0xfa, 0x57, 0x50, 0x9b, 0x83, 0x91, 0x07,
+	0xee, 0x19, 0xb9, 0xf2, 0x9d, 0x0d, 0xa7, 0x55, 0xc5, 0x7a, 0x89, 0xde, 0x83, 0xd2, 0x45, 0x10,
+	0xcd, 0x88, 0x5f, 0x30, 0x98, 0x0d, 0xbe, 0x2e, 0x6c, 0x3b, 0xcd, 0x3f, 0x1c, 0x78, 0xfc, 0x6a,
+	0xa6, 0xa6, 0x5c, 0xd0, 0x9f, 0x03, 0x45, 0x39, 0x3b, 0xe2, 0x11, 0x0d, 0xaf, 0x10, 0x86, 0xf5,
+	0xcb, 0x64, 0xf4, 0x48, 0x26, 0xb3, 0x4d, 0xc7, 0xda, 0xd6, 0xb3, 0x7b, 0x09, 0xc5, 0xde, 0xe5,
+	0xe2, 0x8e, 0x5f, 0x42, 0x29, 0x88, 0x22, 0x7e, 0xe9, 0x17, 0xcc, 0x86, 0x3f, 0x5b, 0xda, 0x67,
+	0x48, 0xc4, 0x05, 0x0d, 0x09, 0xe6, 0x11, 0xd9, 0xa1, 0x6c, 0x42, 0xd9, 0x29, 0xb6, 0xac, 0xe6,
+	0x1e, 0xd4, 0xe6, 0x92, 0xe8, 0x4b, 0x28, 0x89, 0x59, 0x44, 0xd2, 0xe3, 0x7b, 0xba, 0xb4, 0xdb,
+	0xab, 0x30, 0x24, 0x52, 0xe2, 0x59, 0x44, 0xb0, 0xad, 0x6e, 0xfe, 0xe2, 0x02, 0xe4, 0x28, 0xaa,
+	0xc3, 0x8a, 0xb4, 0x4d, 0x6d, 0xa3, 0x2a, 0xce, 0x62, 0x7d, 0x6a, 0x71, 0xa0, 0xa6, 0xd2, 0xe8,
+	0xad, 0x62, 0x1b, 0x20, 0x1f, 0x2a, 0xe7, 0x44, 0x4d, 0xf9, 0x44, 0xfa, 0xae, 0xc1, 0xd3, 0x10,
+	0x1d, 0x40, 0x2d, 0xe4, 0x4c, 0x2a, 0x11, 0x50, 0xa6, 0xa4, 0x5f, 0x34, 0xba, 0x9e, 0xbf, 0x45,
+	0x57, 0x7b, 0x37, 0xa3, 0xe0, 0x79, 0xba, 0x9e, 0x3e, 0xe5, 0x52, 0x49, 0xbf, 0x64, 0xa7, 0x9b,
+	0x00, 0x7d, 0x08, 0x55, 0xc6, 0xd5, 0xc8, 0x66, 0xca, 0x56, 0x30, 0xe3, 0xea, 0xf5, 0x7c, 0xd2,
+	0x8a, 0xae, 0x64, 0xc9, 0x23, 0xa3, 0xfb, 0x29, 0xd4, 0x74, 0x32, 0xd5, 0xbe, 0x62, 0xd2, 0xc0,
+	0xb8, 0x3a, 0x4c, 0xe4, 0xeb, 0xed, 0x72, 0xa1, 0xa4, 0x5f, 0xdd, 0x70, 0x5b, 0x25, 0x6c, 0x83,
+	0xac, 0xa7, 0xc9, 0x80, 0xc9, 0x98, 0x9e, 0x3a, 0xae, 0xbf, 0x00, 0xc8, 0xe5, 0x2f, 0xf1, 0xdd,
+	0x13, 0x28, 0x1b, 0xab, 0xa5, 0x47, 0x98, 0x44, 0xcd, 0xbf, 0x1c, 0x40, 0xb7, 0x2f, 0x1a, 0x6d,
+	0xc3, 0x8a, 0x9c, 0x8d, 0x7f, 0x24, 0xa1, 0x4a, 0x6f, 0xf5, 0xa3, 0xe5, 0x1e, 0xb1, 0x45, 0x38,
+	0xab, 0x46, 0x2f, 0xa0, 0x22, 0x78, 0x44, 0x30, 0x39, 0x31, 0x16, 0xff, 0x3f, 0x22, 0xb6, 0x35,
+	0x38, 0x2d, 0x46, 0xdb, 0x50, 0x3c, 0xe7, 0x13, 0xe2, 0xbb, 0x1b, 0x4e, 0x6b, 0x75, 0xeb, 0x93,
+	0xa5, 0xa4, 0x2e, 0x3b, 0xe1, 0x22, 0x24, 0xe7, 0x84, 0xa9, 0x43, 0x3e, 0x21, 0xd8, 0x30, 0x9a,
+	0x7f, 0xba, 0x50, 0x49, 0x74, 0x20, 0x04, 0xc5, 0x99, 0x24, 0x22, 0xd9, 0xb9, 0x59, 0x23, 0x1f,
+	0x4a, 0xa7, 0x82, 0xcf, 0x62, 0xfb, 0xe4, 0x76, 0x0a, 0xbe, 0x83, 0x2d, 0x80, 0x0e, 0x00, 0x62,
+	0xc1, 0x63, 0x22, 0x14, 0x25, 0xd6, 0x43, 0xb5, 0xad, 0xcf, 0xef, 0xda, 0x67, 0xfb, 0x28, 0x2b,
+	0xb7, 0xef, 0x7e, 0x8e, 0x8f, 0x1a, 0xba, 0x1b, 0x65, 0x21, 0x8d, 0x83, 0xc8, 0x7a, 0xae, 0x8a,
+	0xe7, 0x10, 0xf4, 0x0c, 0x56, 0xcd, 0xfd, 0xe5, 0x35, 0xd6, 0x4f, 0xef, 0xea, 0x4b, 0xcc, 0xcb,
+	0x9e, 0x40, 0xd9, 0xa8, 0x4b, 0x4d, 0x95, 0x44, 0xe8, 0x63, 0xd0, 0x16, 0x19, 0x25, 0x39, 0xeb,
+	0x29, 0x6d, 0x88, 0x6f, 0x6c, 0xba, 0x01, 0xc0, 0x82, 0x73, 0x22, 0xe3, 0x40, 0x3f, 0xa0, 0xd4,
+	0x53, 0x19, 0x92, 0x4e, 0x9f, 0xab, 0xa9, 0x66, 0xd3, 0xfb, 0x79, 0x99, 0x07, 0x2e, 0x8d, 0xad,
+	0xbd, 0xaa, 0x58, 0x2f, 0xd1, 0x07, 0x50, 0xd1, 0x44, 0x8d, 0xd6, 0xac, 0x20, 0xc6, 0x55, 0x2f,
+	0x96, 0xf5, 0x97, 0xb0, 0xb6, 0x70, 0x1c, 0x0f, 0xfa, 0xbd, 0xdb, 0x84, 0x4a, 0x62, 0x02, 0x7d,
+	0x6b, 0x67, 0x94, 0x4d, 0xd2, 0x5b, 0xd3, 0x6b, 0x8d, 0x69, 0xad, 0x09, 0xcf, 0xac, 0x9b, 0xbf,
+	0x16, 0x01, 0xf0, 0x38, 0x08, 0x77, 0x39, 0x3b, 0xa1, 0xa7, 0x99, 0x65, 0x9c, 0x3b, 0x2c, 0x93,
+	0x97, 0xb7, 0x73, 0xcb, 0xa0, 0x3d, 0xa8, 0x52, 0x16, 0x46, 0x33, 0x49, 0x39, 0x4b, 0x6c, 0xfa,
+	0xe9, 0xdb, 0xe8, 0xc7, 0x81, 0x38, 0x25, 0x0a, 0xe7, 0x44, 0xdd, 0x85, 0xfc, 0x94, 0x76, 0x71,
+	0x1f, 0xd6, 0x25, 0x23, 0xa2, 0x01, 0x78, 0x24, 0xf7, 0xf5, 0xc8, 0xec, 0xa8, 0xf8, 0x80, 0x47,
+	0xb0, 0x46, 0x6e, 0x02, 0xf5, 0xdf, 0x1d, 0x28, 0xdb, 0x31, 0x77, 0xfe, 0xa6, 0xde, 0x34, 0x4c,
+	0xe1, 0x96, 0x61, 0x8e, 0x01, 0xdd, 0xfa, 0xee, 0xa4, 0x8f, 0xe4, 0x9e, 0x1f, 0x9e, 0xf5, 0xc5,
+	0x0f, 0x8f, 0x6c, 0x76, 0xa1, 0xa8, 0x45, 0xa2, 0x0a, 0xb8, 0x83, 0xfd, 0x7d, 0xef, 0x11, 0x2a,
+	0x43, 0x61, 0xd0, 0xf7, 0x1c, 0xf4, 0x3e, 0xac, 0x0f, 0xfa, 0xa3, 0x37, 0xbd, 0xe3, 0xd7, 0xa3,
+	0x5e, 0x7f, 0xf7, 0xe0, 0xdb, 0x61, 0x6f, 0xd0, 0xf7, 0x0a, 0xf3, 0x70, 0xf7, 0xfb, 0x14, 0x76,
+	0x9f, 0x77, 0x60, 0x6d, 0xe1, 0x1c, 0xd0, 0x3b, 0xb0, 0xd2, 0xed, 0xef, 0x0f, 0xf0, 0x6e, 0x77,
+	0xcf, 0x7b, 0x84, 0x56, 0x01, 0x8e, 0xba, 0xf8, 0xb0, 0x37, 0x1c, 0xf6, 0xbe, 0xeb, 0x7a, 0xce,
+	0x4e, 0xeb, 0xef, 0xeb, 0x86, 0xf3, 0xcf, 0x75, 0xc3, 0xf9, 0xf7, 0xba, 0xe1, 0xfc, 0x50, 0xb7,
+	0xf2, 0x29, 0xef, 0x04, 0x31, 0xed, 0xdc, 0xf8, 0x0b, 0x31, 0x2e, 0x9b, 0xbf, 0x0f, 0x5f, 0xfc,
+	0x17, 0x00, 0x00, 0xff, 0xff, 0x6e, 0x5d, 0x8c, 0xf1, 0x5a, 0x08, 0x00, 0x00,
 }
diff --git a/rbac/v1alpha1/rbac.proto b/rbac/v1alpha1/rbac.proto
index 1b138bda48..69c080cd5d 100644
--- a/rbac/v1alpha1/rbac.proto
+++ b/rbac/v1alpha1/rbac.proto
@@ -1,4 +1,4 @@
-// Copyright 2018 Istio Authors
+// Copyright 2019 Istio Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -84,9 +84,42 @@ package istio.rbac.v1alpha1;
 
 option go_package="istio.io/api/rbac/v1alpha1";
 
+// $hide_from_docs
+// This is forked from the networking/v1alpha3/sidecar.proto to avoid a direct
+// dependency from the rbac API on networking API.
+// TODO: Move the WorkloadSelector to a common place to be shared by other packages.
+// WorkloadSelector specifies the criteria used to determine if the Gateway
+// or Sidecar resource can be applied to a proxy. The matching criteria
+// includes the metadata associated with a proxy, workload info such as
+// labels attached to the pod/VM, or any other info that the proxy provides
+// to Istio during the initial handshake. If multiple conditions are
+// specified, all conditions need to match in order for the workload to be
+// selected. Currently, only label based selection mechanism is supported.
+message WorkloadSelector {
+  // One or more labels that indicate a specific set of pods/VMs on which
+  // this sidecar configuration should be applied. The scope of label
+  // search is restricted to the configuration namespace in which the the
+  // resource is present.
+  map<string, string> labels = 1;
+}
+
+// $hide_from_docs
+// AuthorizationPolicy to enforce access control on a selected workload.
+message AuthorizationPolicy {
+  // $hide_from_docs
+  // Optional. One or more labels that indicate a specific set of pods/VMs
+  // on which this authorization policy should be applied. Leave this empty to
+  // select all pods/VMs.
+  // The scope of label search is platform dependent. On Kubernetes, for example,
+  // the scope includes pods running in the same namespace as the authorization policy itself.
+  WorkloadSelector workload_selector = 1;
+
+  // $hide_from_docs
+  // A list of bindings that specify the subjects and permissions to the selected workload.
+  repeated ServiceRoleBinding allow = 2;
+}
+
 // ServiceRole specification contains a list of access rules (permissions).
-// This represent the "Spec" part of the ServiceRole object. The name and namespace
-// of the ServiceRole is specified in "metadata" section of the ServiceRole object.
 message ServiceRole {
   // Required. The set of access rules (permissions) that the role has.
   repeated AccessRule rules = 1;
@@ -102,37 +135,69 @@ message AccessRule {
   // If set to ["*"], it refers to all services in the namespace.
   repeated string services = 1;
 
+  // $hide_from_docs
+  // Optional. A list of HTTP hosts. This is matched against the HOST header in
+  // a HTTP request. Exact match, prefix match and suffix match are supported.
+  // For example, the host "test.abc.com" matches "test.abc.com" (exact match),
+  // or "*.abc.com" (prefix match), or "test.abc.*" (suffix match).
+  // If not specified, it matches to any host.
+  repeated string hosts = 5;
+
+  // $hide_from_docs
+  // Optional. A list of HTTP hosts that must not be matched.
+  repeated string not_hosts = 6;
+
   // Optional. A list of HTTP paths or gRPC methods.
   // gRPC methods must be presented as fully-qualified name in the form of
   // "/packageName.serviceName/methodName" and are case sensitive.
-  // Exact match, prefix match, and suffix match are supported for paths.
-  // For example, the path "/books/review" matches
-  // "/books/review" (exact match), or "/books/*" (prefix match),
-  // or "*/review" (suffix match).
-  // If not specified, it applies to any path.
+  // Exact match, prefix match, and suffix match are supported. For example,
+  // the path "/books/review" matches "/books/review" (exact match),
+  // or "/books/*" (prefix match), or "*/review" (suffix match).
+  // If not specified, it matches to any path.
   repeated string paths = 2;
 
+  // $hide_from_docs
+  // Optional. A list of HTTP paths or gRPC methods that must not be matched.
+  repeated string not_paths = 7;
+
   // Optional. A list of HTTP methods (e.g., "GET", "POST").
   // It is ignored in gRPC case because the value is always "POST".
-  // If set to ["*"] or not specified, it applies to any method.
+  // If not specified, it matches to any methods.
   repeated string methods = 3;
 
+  // $hide_from_docs
+  // Optional. A list of HTTP methods that must not be matched.
+  // Note: It's an error to set methods and not_methods at the same time.
+  repeated string not_methods = 8;
+
+  // $hide_from_docs
+  // Optional. A list of port numbers of the request. If not specified, it matches
+  // to any port number.
+  // Note: It's an error to set ports and not_ports at the same time.
+  repeated int32 ports = 9;
+
+  // $hide_from_docs
+  // Optional.  A list of port numbers that must not be matched.
+  // Note: It's an error to set ports and not_ports at the same time.
+  repeated int32 not_ports = 10;
+
   // Definition of a custom constraint. The supported keys are listed in the "constraint and properties" page.
   message Constraint {
     // Key of the constraint.
     string key = 1;
 
     // List of valid values for the constraint.
-    // Exact match, prefix match, and suffix match are supported for constraint values.
-    // For example, the value "v1alpha2" matches
-    // "v1alpha2" (exact match), or "v1*" (prefix match),
-    // or "*alpha2" (suffix match).
+    // Exact match, prefix match, and suffix match are supported.
+    // For example, the value "v1alpha2" matches "v1alpha2" (exact match),
+    // or "v1*" (prefix match), or "*alpha2" (suffix match).
     repeated string values = 2;
   }
 
   // Optional. Extra constraints in the ServiceRole specification.
-  // The above ServiceRole example shows an example of constraint "version".
   repeated Constraint constraints = 4;
+
+  // $hide_from_docs
+  // Next available field number: 11
 }
 
 // $hide_from_docs
@@ -148,12 +213,9 @@ enum EnforcementMode {
   // Policy in PERMISSIVE mode isn't enforced and has no impact on users.
   // RBAC engine run policies in PERMISSIVE mode and logs stats.
   PERMISSIVE = 1;
- }
+}
 
 // ServiceRoleBinding assigns a ServiceRole to a list of subjects.
-// This represents the "Spec" part of the ServiceRoleBinding object. The name and namespace
-// of the ServiceRoleBinding is specified in "metadata" section of the ServiceRoleBinding
-// object.
 message ServiceRoleBinding {
   // Required. List of subjects that are assigned the ServiceRole object.
   repeated Subject subjects = 1;
@@ -172,13 +234,52 @@ message Subject {
   // Optional. The user name/ID that the subject represents.
   string user = 1;
 
+  // $hide_from_docs
+  // Optional. A list of principals that the subject represents. This is matched to the
+  // `source.principal` attribute. If not specified, it applies to any principals.
+  repeated string principals = 4;
+
+  // $hide_from_docs
+  // Optional. A list of principals that must not be matched.
+  repeated string not_principals = 5;
+
   // $hide_from_docs
   // Optional. The group that the subject belongs to.
-  string group = 2;
+  // Deprecated. Use groups and not_groups instead.
+  string group = 2 [deprecated = true];
+
+  // $hide_from_docs
+  // Optional. A list of groups that the subject represents. This is matched to the
+  // `request.auth.claims[groups]` attribute. If not specified, it applies to any groups.
+  repeated string groups = 6;
+
+  // $hide_from_docs
+  // Optional. A list of groups that must not be matched.
+  repeated string not_groups = 7;
+
+  // $hide_from_docs
+  // Optional. A list of namespaces that the subject represents. This is matched to
+  // the `source.namespace` attribute. If not specified, it applies to any namespaces.
+  repeated string namespaces = 8;
+
+  // $hide_from_docs
+  // Optional. A list of namespaces that must not be matched.
+  repeated string not_namespaces = 9;
+
+  // $hide_from_docs
+  // Optional. A list of IP address or CIDR ranges that the subject represents.
+  // E.g. 192.168.100.2 or 10.1.0.0/16. If not specified, it applies to any IP addresses.
+  repeated string ips = 10;
+
+  // $hide_from_docs
+  // Optional. A list of IP addresses or CIDR ranges that must not be matched.
+  repeated string not_ips = 11;
 
   // Optional. The set of properties that identify the subject.
-  // The above ServiceRoleBinding example shows an example of property "source.namespace".
   map<string, string> properties = 3;
+
+  // $hide_from_docs
+  // Next available field number: 12
 }
 
 // RoleRef refers to a role object.
@@ -188,8 +289,7 @@ message RoleRef {
   string kind = 1;
 
   // Required. The name of the ServiceRole object being referenced.
-  // The ServiceRole object must be in the same namespace as the ServiceRoleBinding
-  // object.
+  // The ServiceRole object must be in the same namespace as the ServiceRoleBinding object.
   string name = 2;
 }
 
@@ -236,6 +336,10 @@ message RbacConfig {
     // A list of services.
     repeated string services = 1;
 
+    // $hide_from_docs
+    // A list of workloads.
+    repeated WorkloadSelector workload_selectors = 3;
+
     // A list of namespaces.
     repeated string namespaces = 2;
   }